Is this a hole in my firewall?
Ruben de Groot
mail25 at bzerk.org
Mon Nov 29 03:29:46 PST 2004
On Sun, Nov 28, 2004 at 02:27:41PM +0200, Giorgos Keramidas typed:
> On 2004-11-28 04:48, Jonathon McKitrick <jcm at FreeBSD-uk.eu.org> wrote:
> > On Sun, Nov 28, 2004 at 03:31:35AM +0200, Giorgos Keramidas wrote:
> > : AFAIK, rule 00300 will never be hit by packets going out tun0 as long as
> > : you also have rule 00200 in there.
> >
> > Hmmm.... here's a run after having the laptop running for a bit. I don't
> > see why 200 doesn't cover the case either.
> >
> > root at neptune:~# ipfw show
> > 00100 0 0 check-state
> > 00200 6709 1277079 allow ip from me to any keep-state out xmit tun0
> > 00300 2093 645797 allow ip from any to any keep-state out xmit tun0
>
> Oops! That doesn't look good, unless I'm missing something about the
> way 'me' works.
He's using ppp-nat. So packets from his laptop will first hit rule #300 and
only after that get "nat'ed". I believe this is normal behaviour.
Ruben
> It's probably a good idea to send what you have so far to the
> freebsd-ipfw people.
>
>
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list