On 07-Maa-01, Manuel wrote:

>> Now, the above set up doesn't work for some reason. With the above,
>> everything works from the external (ne3) interface as supposed.
>> I can connect to SSH port on 10.0.0.2 and to nothing else anywhere.
>> And traffic to the internet from the firewall and boxes behind it
>> works just fine. But I can't use SSH on the firewall from inside.
>> Note the line below "!MARK!". Clearly that should override
>> the two lines above (because of keep state). But it doesn't. Setting
> 
> And what happen if you put this line before the 2 lines above ?

I don't have the computer any more so I can't test (the internal
protection wasn't that critical, and anyway the box is now in
operation and working correctly... except that the above problem
still remains).

But I remember that I started with such configuration where the
pass in rules were in front of the block in rules. The effect
was, if I remember correctly, the same. Only the SYN flag got in,
nothing else didn't. I may not remember correctly, but in any
case even that configuration didn't work as (I) expected.

-- 
Arto Huusko  --  WWW: http://maailma.yok.utu.fi/
                  ** Divecalc **
The Diving Software @ http://maailma.yok.utu.fi/Divecalc