Date: Thu, 23 Jun 2011 14:05:46 +0200 From: umage <theultramage@gmail.com> To: Ian Smith <smithi@nimnet.asn.au> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw nat inbound keep-state with net.inet.ip.fw.one_pass=0 Message-ID: <4E032C1A.9000707@gmail.com> In-Reply-To: <20110623205741.K34951@sola.nimnet.asn.au> References: <20110621223335.2C145106579B@hub.freebsd.org> <20110623205741.K34951@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Some points: 1) I did use the handbook as reference, and my ruleset mimics the layout used there. 2) Handbook uses divert natd, which I used until I switched to the kernel nat approach. 3) I did not find any concrete examples of ipfw nat rule usage, so I'm using them the old natd way. I did some more experiments, and noticed that for example, an inbound connection can still communicate both ways after the initial state table rule expires (20 seconds for some reason). If they communicate while the state entry is alive, the timeout resets, but it seems like it doesn't matter at all. This leads me to believe that 'ipfw nat' keeps an internal state table, which cannot be viewed, but is checked when doing check-state. Or something... which I have no way of knowing. Here's a pruned version of the ruleset I used. Rule 600 is the one that adds that remote <--> local state table entry that messes everything up. If I omit keep-state on it, then traffic from the local side will be the one creating the states when replying, with a 5-second timeout. -------------------- $fw add 100 allow all from any to any via $lan_if $fw nat 1 config if $wan_if redirect_port 192.168.0.55:12345 12345 $fw add 200 nat 1 ip4 from any to any in via $wan_if $fw add 300 check-state $fw add 400 skipto 800 ip4 from any to any out via $wan_if keep-state $fw add 500 allow all from any to any out keep-state $fw add 600 allow all from any to any dst-port 12345 in keep-state $fw add 700 deny all from any to any in $fw add 800 nat 1 ip4 from any to any out $fw add 900 allow all from any to any
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E032C1A.9000707>