From owner-freebsd-ipfw@FreeBSD.ORG  Wed Jun  2 22:51:48 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 68CEB16A4CE
	for <freebsd-ipfw@freebsd.org>; Wed,  2 Jun 2004 22:51:48 -0700 (PDT)
Received: from mail3.speakeasy.net (mail3.speakeasy.net [216.254.0.203])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4201F43D58
	for <freebsd-ipfw@freebsd.org>; Wed,  2 Jun 2004 22:51:48 -0700 (PDT)
	(envelope-from freebsd-ipfw.20.openmacews@spamgourmet.com)
Received: (qmail 15283 invoked from network); 3 Jun 2004 05:51:47 -0000
Received: from ns1.presence-group.net (HELO [172.30.11.6])
	(blakers@[216.27.177.134])
	<freebsd-ipfw.20.openmacews@spamgourmet.com>)encrypted SMTP
	for <freebsd-ipfw@freebsd.org>; 3 Jun 2004 05:51:47 -0000
Date: Wed, 02 Jun 2004 22:51:44 -0700
From: OpenMacNews <freebsd-ipfw.20.openmacews@spamgourmet.com>
To: freebsd-ipfw <freebsd-ipfw@freebsd.org>
Message-ID: <889522B08C907A6E653E1D2B@[172.30.11.6]>
In-Reply-To: <030301c4492d$89962150$2508473e@sad.syncrontech.com>
References: <DAC6B2F195AD44196B3A03F5@[172.30.11.6]>
	<030301c4492d$89962150$2508473e@sad.syncrontech.com>
X-Mailer: Mulberry/3.1.5 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: Re: does NATd _prevent_ use of stateful ipfw rules w/ keep-state?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: OpenMacNews <freebsd-ipfw.20.openmacews@spamgourmet.com>
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jun 2004 05:51:48 -0000

hi!

>> If using NATd, am I relegated to a _static_ ruleset, w/ no ability to use
> stateful rules?
>
>     I'm running at least two machines with both natd and some stateful rules
> (for udp traffic)
>     Works ok.
>
>     The way I did is to have two rules, for example:
>
>     check-state
>     allow udp from internal_network/24 to any 53 keep-state
>     allow udp from public-ip-address to any 53 keep-state

ok. this is the "dual rules" approach that I'd read about.

is it IPFW that's "managing" state, then, or NATd, or both?  i.e., check-state checks WHICH tables?

>     I *don't* have a rule for my internal interface which passes all traffic
>     (ie. 'pass ip from any to any via internal-interface-name'
>     which seems to be common setup, I use the 'via' keyword of ipfw
>     only on anti-spoofing rules at beginning of my ruleset, all other
>     rules are then based on ip-addresses only).
>
>     The setup above creates two dynamic rules when packets are
>     going thru. One maches the packet before nat and one after.

in your example, how have you setup your NAT divert statement?  are you using any "fwd" statements in conjunction?  i'm asking in relation to my _other_post:

        <http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-June/001152.html>

thanks for your reply!

richard