Date: Wed, 3 Jan 2001 23:22:03 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Phil C <mongo@elephantitis.org> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw, check-state & natd Message-ID: <20010103232203.H95729@rfx-64-6-211-149.users.reflexco> In-Reply-To: <20010103131202.A62258@planw-65-33-233-186.pompano.net>; from mongo@elephantitis.org on Wed, Jan 03, 2001 at 01:12:02PM -0500 References: <20010103131202.A62258@planw-65-33-233-186.pompano.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jan 03, 2001 at 01:12:02PM -0500, Phil C wrote:
> Is there a way to allow for checking the state of out bound packets within
> ipfw ... While also using natd for masquerading? I have tried adding the
> 'keep-state' directive on outbound rules for my lan interface and my isp
> interface ie:
>
>
> ipfw add check-state
> ...
> ipfw add pass ip from ${cable} to any keep-state
> ipfw add pass tcp from ${net}:${mask} to any setup via ${if_lan} keep-state
> ...
> ipfw add deny ip from any to any
>
>
> Tho when I do this all pakcets drop without a trace, because I would assume
> the state does not match. I say that I assume because the check-state rule
> never increases in packet count and the deny rules do not increase either.
> Tho in my logs I see that packets are being denied and there are a lot of
> 'natd: failed to write packet back (Permission denied)' messages too.
>
> So does anyone have any ideas?
The concept should work. That's how my firewall works. You did not
post all of your rules. My first guess would be that the packets are
getting dropped before they get to the keep-state rule. Hard to say.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010103232203.H95729>