From owner-freebsd-ipfw@FreeBSD.ORG  Wed Jun  2 22:42:24 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A8AF216A4CE
	for <freebsd-ipfw@freebsd.org>; Wed,  2 Jun 2004 22:42:24 -0700 (PDT)
Received: from osku.suutari.iki.fi (osku.syncrontech.com [213.28.98.4])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CD15F43D54
	for <freebsd-ipfw@freebsd.org>; Wed,  2 Jun 2004 22:42:22 -0700 (PDT)
	(envelope-from ari@suutari.iki.fi)
Received: from coffee (coffee.syncrontech.com [62.71.8.37])
	by osku.suutari.iki.fi (8.12.8p1/8.12.8) with SMTP id i535gHN9084331;
	Thu, 3 Jun 2004 08:42:19 +0300 (EEST)
	(envelope-from ari@suutari.iki.fi)
Message-ID: <030301c4492d$89962150$2508473e@sad.syncrontech.com>
From: "Ari Suutari" <ari@suutari.iki.fi>
To: "OpenMacNews" <freebsd-ipfw.20.openmacews@spamgourmet.com>,
	"freebsd-ipfw" <freebsd-ipfw@freebsd.org>
References: <DAC6B2F195AD44196B3A03F5@[172.30.11.6]>
Date: Thu, 3 Jun 2004 08:42:17 +0300
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1409
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
Subject: Re: does NATd _prevent_ use of stateful ipfw rules w/ keep-state?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jun 2004 05:42:24 -0000

Hi,

> If using NATd, am I relegated to a _static_ ruleset, w/ no ability to use
stateful rules?

    I'm running at least two machines with both natd and some stateful rules
(for udp traffic)
    Works ok.

    The way I did is to have two rules, for example:

    check-state
    allow udp from internal_network/24 to any 53 keep-state
    allow udp from public-ip-address to any 53 keep-state

    I *don't* have a rule for my internal interface which passes all traffic
    (ie. 'pass ip from any to any via internal-interface-name'
    which seems to be common setup, I use the 'via' keyword of ipfw
    only on anti-spoofing rules at beginning of my ruleset, all other
    rules are then based on ip-addresses only).

    The setup above creates two dynamic rules when packets are
    going thru. One maches the packet before nat and one after.

        Ari S.