From owner-freebsd-hackers Sat Jul 28 7:14:12 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from ns0.seaman.net (ns0.seaman.net [168.215.64.186]) by hub.freebsd.org (Postfix) with ESMTP id 7219837B403 for ; Sat, 28 Jul 2001 07:14:08 -0700 (PDT) (envelope-from dick@seaman.org) Received: from tbird.internal.seaman.net (IDENT:root@tbird [192.168.10.12]) by ns0.seaman.net (8.11.3/8.11.3) with ESMTP id f6SEE7474357 for ; Sat, 28 Jul 2001 09:14:07 -0500 (CDT) (envelope-from dick@seaman.org) Received: (from dick@localhost) by tbird.internal.seaman.net (8.11.0/8.11.0) id f6SEE7f21458 for hackers@freebsd.org; Sat, 28 Jul 2001 09:14:07 -0500 Date: Sat, 28 Jul 2001 09:14:06 -0500 From: "Richard Seaman, Jr." To: hackers@freebsd.org Subject: Re: natd passes inconsistent addresses to ipfw? Message-ID: <20010728091406.C1119@seaman.org> Mail-Followup-To: "Richard Seaman, Jr." , hackers@freebsd.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="nFreZHaLTZJo0R7j" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --nFreZHaLTZJo0R7j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Whoops. Meant to cc this to the list too. -- Richard Seaman, Jr. email: dick@seaman.org 5182 N. Maple Lane phone: 262-367-5450 Nashotah WI 53058 fax: 262-367-5852 --nFreZHaLTZJo0R7j Content-Type: message/rfc822 Content-Disposition: inline Date: Sat, 28 Jul 2001 09:09:33 -0500 From: "Richard Seaman, Jr." To: mikescott@clara.net Subject: Re: natd passes inconsistent addresses to ipfw? Message-ID: <20010728090933.B1119@seaman.org> References: <3B61EFDD.ABD61EC3@newsguy.com> <3B62ADB5.17372.60982A6@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B62ADB5.17372.60982A6@localhost>; from mikescott@clara.net on Sat, Jul 28, 2001 at 12:19:01PM +0100 On Sat, Jul 28, 2001 at 12:19:01PM +0100, mikescott@clara.net wrote: > I'm worried about the logic of the problem -- it seems to me that > there's no way that nat and the dynamic rules can work together > correctly, given that both incoming and outgoing packets start at > the top and work down the same list of rules. Tthe keep-state and > check-state surely have to be on the same side of the nat, > because they have to work together *either* on local *or* external > addresses, not a mixture. But if they're after the nat (as for all > written examples I've seen), then for incoming packets they operate > on local addresses, and for outgoing on external addresses, which > is not what's wanted. If they're before the nat, we never reach the > nat. > > Am I totally at sea here with my understanding of what's going on? > Does anyone on the list have a working example which they could > offer, please, and set my mind at rest? I haven't looked at your specific ruleset, but I too concluded it wasn't possible to get dynamic rules (keep-state) working properly with nat. But, I also managed to convince myself that the nat engine itself is, in effect, a dynamic ruleset, so I decided I didn't care about dynamic rules with nat. This was a while ago, and I don't remember my analysis all that well. If you come to a different conclusion after looking at how the nat engine works, let me know and I'll try to reconstruct my logic. -- Richard Seaman, Jr. email: dick@seaman.org 5182 N. Maple Lane phone: 262-367-5450 Nashotah WI 53058 fax: 262-367-5852 --nFreZHaLTZJo0R7j-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message