From owner-freebsd-questions Wed Sep 25 14:11:54 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A222137B404 for ; Wed, 25 Sep 2002 14:11:51 -0700 (PDT) Received: from uni00mr.unity.ncsu.edu (uni00mr.unity.ncsu.edu [152.1.1.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2BEC43E75 for ; Wed, 25 Sep 2002 14:11:50 -0700 (PDT) (envelope-from ewthorn2@unity.ncsu.edu) Received: from unity.ncsu.edu (uni03wi.unity.ncsu.edu [152.1.1.33]) by uni00mr.unity.ncsu.edu (8.11.6/8.11.6/N.20020819.01) with ESMTP id g8PLBiC14337 for ; Wed, 25 Sep 2002 17:11:44 -0400 (EDT) Message-Id: <200209252111.g8PLBiC14337@uni00mr.unity.ncsu.edu> Content-Transfer-Encoding: 8bit Date: Wed, 25 Sep 2002 17:11:44 -500 User-Agent: IMHO/0.97.1 (Webmail for Roxen) Content-Type: text/plain; charset=iso-8859-1 From: Eric Thornton To: freebsd-questions@freebsd.org Subject: natd and dynamic rules MIME-Version: 1.0 X-Originating-IP: [66.26.236.202] Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG If someone could clear this up for me, it would be most appreciated. Dual homed host, internal net is 192.168.0.0/24 external is DHCP I have the following lines in my ipfw rules. ${oif}=outside interface ${natdif}=natd interface(which is same as {oif}) ... ${fwcmd} add divert natd all from any to any via ${natdif} ... ${fwcmd} add check-state ${fwcmd} add deny log tcp from any to any in via ${oif} setup ${fwcmd} add deny tcp from any to any in via ${oif} established ${fwcmd} add pass tcp from any to any keep-state setup ${fwcmd} add pass tcp from any to any keep-state established ... default deny With this setup, are there two dynamic rules set for each packet? One for when it passes through the inside interface and one for the outside interface? ipfw -d list shows connections such as 192.168.0.2 <-> any ip. It seems as though i have an unneeded keep-state (2) as well as redundant keep-states. Can someone make any sense of my rambling? {Packet leaving inside network for a random ip (anyip)} 192.168.0.2 > (anyip) | V keepstate(1) 192.168.0.2 <-> (anyip) {Packet then is sent out through outside interface with IP (outsideip)} 192.168.0.2 > (anyip) | V Natd-> (outsideip) > (anyip) | V keepstate (2) (outsideip) <-> (anyip) {Then the packet coming back into my network through outside interface} (anyip) > (outsideip) | V Natd--(anyip) > 192.168.0.2 | V check-state (1) met (anyip) <-> 192.168.0.2 and closed {Through inside interface} (anyip) > 192.168.0.2 | V keep-state (1) anyip <-> 192.168.0.2 refreshed (unneeded) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message