Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 6 Aug 2001 08:20:01 -0700 (PDT)
From:      "David Hedley" <david@inty.net>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: kern/29294: IPFW dynamic rules and NATD interaction has logical design flaw
Message-ID:  <200108061520.f76FK1R42196@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 
The following reply was made to PR kern/29294; it has been noted by GNATS.

From: "David Hedley" <david@inty.net>
To: <freebsd-gnats-submit@FreeBSD.org>, <mikescott@clara.net>
Cc:  
Subject: Re: kern/29294: IPFW dynamic rules and NATD interaction has logical design flaw
Date: Mon, 6 Aug 2001 16:14:36 +0100

 For this to work, you need to split your firewall rules between incoming and
 outgoing packets and divert them to natd at different times.
 
 i.e.
 
 add 1 skipto 30000 ip from any to any out
 # All packets at this point are now inbound
 # Map incoming external IPs to internal
 add 100 divert natd ip from any to any via tun0
 # Allow any packets that are part of an ongoing connection
 add 200 check-state
 add 300 deny log ip from any to any
 
 # Outgoing packets are processed here
 # Add in dynamic rule using non-NAT addresses
 add 30000 skipto 30100 ip from any to any via tun0 keep-state
 # Do NAT
 add 30100 divert natd ip from any to any via tun0
 add 30200 allow ip from any to any
 
 From this, both keep-state and check-state will work on internal (i.e.
 before-NAT) addresses.
 
 Hope this helps,
 
 David
 --
 Dr David Hedley, R&D Director,
 Intelligent Network Technology Ltd, Bristol, UK
 http://www.inty.net/
 
 
 --
 Information in this electronic mail message is confidential
 and may be legally privileged. It is intended solely for
 the addressee. Access to this message by anyone else is
 unauthorised. If you are not the intended recipient any 
 use, disclosure, copying or distribution of this message is
 prohibited and may be unlawful. When addressed to our
 customers, any information contained in this message is
 subject to INT Ltd Terms & Conditions.
 --
 
 This email has been virus scanned using Sophos Anti-Virus by intY (www.inty.net)
 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200108061520.f76FK1R42196>