Date: Wed, 25 Sep 2002 17:11:44 -500 From: Eric Thornton <ewthorn2@unity.ncsu.edu> To: freebsd-questions@freebsd.org Subject: natd and dynamic rules Message-ID: <200209252111.g8PLBiC14337@uni00mr.unity.ncsu.edu>
next in thread | raw e-mail | index | archive | help
If someone could clear this up for me, it would be most appreciated.
Dual homed host, internal net is 192.168.0.0/24 external is DHCP
I have the following lines in my ipfw rules.
${oif}=outside interface
${natdif}=natd interface(which is same as {oif})
...
${fwcmd} add divert natd all from any to any via ${natdif}
...
${fwcmd} add check-state
${fwcmd} add deny log tcp from any to any in via ${oif} setup
${fwcmd} add deny tcp from any to any in via ${oif} established
${fwcmd} add pass tcp from any to any keep-state setup
${fwcmd} add pass tcp from any to any keep-state established
...
default deny
With this setup, are there two dynamic rules set for each packet? One for when it passes through the inside interface and one for the outside interface? ipfw -d list shows connections such as 192.168.0.2 <-> any ip. It seems as though i have an unneeded keep-state (2) as well as redundant keep-states. Can someone make any sense of my rambling?
{Packet leaving inside network for a random ip (anyip)}
192.168.0.2 > (anyip)
|
V
keepstate(1) 192.168.0.2 <-> (anyip)
{Packet then is sent out through outside interface with IP (outsideip)}
192.168.0.2 > (anyip)
|
V
Natd-> (outsideip) > (anyip)
|
V
keepstate (2) (outsideip) <-> (anyip)
{Then the packet coming back into my network through outside interface}
(anyip) > (outsideip)
|
V
Natd--(anyip) > 192.168.0.2
|
V
check-state (1) met (anyip) <-> 192.168.0.2 and closed
{Through inside interface}
(anyip) > 192.168.0.2
|
V
keep-state (1) anyip <-> 192.168.0.2 refreshed (unneeded)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200209252111.g8PLBiC14337>