Date: Wed, 02 Jun 2004 22:51:44 -0700 From: OpenMacNews <freebsd-ipfw.20.openmacews@spamgourmet.com> To: freebsd-ipfw <freebsd-ipfw@freebsd.org> Subject: Re: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? Message-ID: <889522B08C907A6E653E1D2B@[172.30.11.6]> In-Reply-To: <030301c4492d$89962150$2508473e@sad.syncrontech.com> References: <DAC6B2F195AD44196B3A03F5@[172.30.11.6]> <030301c4492d$89962150$2508473e@sad.syncrontech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hi!
>> If using NATd, am I relegated to a _static_ ruleset, w/ no ability to use
> stateful rules?
>
> I'm running at least two machines with both natd and some stateful rules
> (for udp traffic)
> Works ok.
>
> The way I did is to have two rules, for example:
>
> check-state
> allow udp from internal_network/24 to any 53 keep-state
> allow udp from public-ip-address to any 53 keep-state
ok. this is the "dual rules" approach that I'd read about.
is it IPFW that's "managing" state, then, or NATd, or both? i.e., check-state checks WHICH tables?
> I *don't* have a rule for my internal interface which passes all traffic
> (ie. 'pass ip from any to any via internal-interface-name'
> which seems to be common setup, I use the 'via' keyword of ipfw
> only on anti-spoofing rules at beginning of my ruleset, all other
> rules are then based on ip-addresses only).
>
> The setup above creates two dynamic rules when packets are
> going thru. One maches the packet before nat and one after.
in your example, how have you setup your NAT divert statement? are you using any "fwd" statements in conjunction? i'm asking in relation to my _other_post:
<http://lists.freebsd.org/pipermail/freebsd-ipfw/2004-June/001152.html>;
thanks for your reply!
richard
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?889522B08C907A6E653E1D2B>