From owner-freebsd-bugs Mon Aug 6 8:20: 6 2001 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 21C7037B401 for ; Mon, 6 Aug 2001 08:20:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f76FK1R42196; Mon, 6 Aug 2001 08:20:01 -0700 (PDT) (envelope-from gnats) Date: Mon, 6 Aug 2001 08:20:01 -0700 (PDT) Message-Id: <200108061520.f76FK1R42196@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: "David Hedley" Subject: Re: kern/29294: IPFW dynamic rules and NATD interaction has logical design flaw Reply-To: "David Hedley" Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR kern/29294; it has been noted by GNATS. From: "David Hedley" To: , Cc: Subject: Re: kern/29294: IPFW dynamic rules and NATD interaction has logical design flaw Date: Mon, 6 Aug 2001 16:14:36 +0100 For this to work, you need to split your firewall rules between incoming and outgoing packets and divert them to natd at different times. i.e. add 1 skipto 30000 ip from any to any out # All packets at this point are now inbound # Map incoming external IPs to internal add 100 divert natd ip from any to any via tun0 # Allow any packets that are part of an ongoing connection add 200 check-state add 300 deny log ip from any to any # Outgoing packets are processed here # Add in dynamic rule using non-NAT addresses add 30000 skipto 30100 ip from any to any via tun0 keep-state # Do NAT add 30100 divert natd ip from any to any via tun0 add 30200 allow ip from any to any From this, both keep-state and check-state will work on internal (i.e. before-NAT) addresses. Hope this helps, David -- Dr David Hedley, R&D Director, Intelligent Network Technology Ltd, Bristol, UK http://www.inty.net/ -- Information in this electronic mail message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorised. If you are not the intended recipient any use, disclosure, copying or distribution of this message is prohibited and may be unlawful. When addressed to our customers, any information contained in this message is subject to INT Ltd Terms & Conditions. -- This email has been virus scanned using Sophos Anti-Virus by intY (www.inty.net) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message