From owner-freebsd-ipfw  Thu Jan 30 10:32:27 2003
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5B31037B401
	for <freebsd-ipfw@FreeBSD.ORG>; Thu, 30 Jan 2003 10:32:26 -0800 (PST)
Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18])
	by mx1.FreeBSD.org (Postfix) with SMTP id B14D343E4A
	for <freebsd-ipfw@FreeBSD.ORG>; Thu, 30 Jan 2003 10:32:25 -0800 (PST)
	(envelope-from kudzu@tenebras.com)
Received: (qmail 1210 invoked from network); 30 Jan 2003 18:32:24 -0000
Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241)
  by 0 with SMTP; 30 Jan 2003 18:32:24 -0000
Message-ID: <3E396FB5.90406@tenebras.com>
Date: Thu, 30 Jan 2003 10:32:21 -0800
From: Michael Sierchio <kudzu@tenebras.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.2b) Gecko/20021016
X-Accept-Language: en-us, en, fr-fr, ru
MIME-Version: 1.0
To: barbish@a1poweruser.com
Cc: Nick Rogness <nick@rogness.net>,
	"Simon L. Nielsen" <simon@nitro.dk>, freebsd-ipfw@FreeBSD.ORG
Subject: Re: Error in ipfw manpage for stateful rules?
References: <MIEPLLIBMLEEABPDBIEGMENPDEAA.barbish@a1poweruser.com>
In-Reply-To: <MIEPLLIBMLEEABPDBIEGMENPDEAA.barbish@a1poweruser.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

JoeB wrote:

>
> S again I state  that the documentation for keep-state rules using
> IPFW/NATD do not contain the information to create an fully enabled
> keep-state firewall using the IPFW/NATD function.

There are subtleties in integrating natd and stateful ipfirewall rules,
and these aren't covered in the examples.  It's fairly easy to see
where the difficulty is, though, if you understand how the stateful
rules work -- they are looking for SYN/ACK and ACK packets that match
the parent rule, so take care when rewriting addresses so you get
matching packets!

It may be that you need to use skipto rules to separate inbound and outbound
packets.

Also note:  it is documented but frequently forgotten that nat'd packets,
or any packets passed via DIVERT, lose information -- such as which
interface the packet was received on.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message