Date: Thu, 3 Jun 2004 09:04:22 +0300 From: "Ari Suutari" <ari@suutari.iki.fi> To: "OpenMacNews" <freebsd-ipfw.20.openmacews@spamgourmet.com>, "freebsd-ipfw" <freebsd-ipfw@freebsd.org> Subject: Re: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? Message-ID: <03ef01c44930$9f0ddc00$2508473e@sad.syncrontech.com> References: <DAC6B2F195AD44196B3A03F5@[172.30.11.6]> <030301c4492d$89962150$2508473e@sad.syncrontech.com> <889522B08C907A6E653E1D2B@[172.30.11.6]>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
> > check-state
> > allow udp from internal_network/24 to any 53 keep-state
> > allow udp from public-ip-address to any 53 keep-state
>
> ok. this is the "dual rules" approach that I'd read about.
>
> is it IPFW that's "managing" state, then, or NATd, or both? i.e.,
check-state checks WHICH tables?
Well, both. 'check-state' checks ipfw's tables. Natd does it's own
checking.
>
> > I *don't* have a rule for my internal interface which passes all
traffic
> > (ie. 'pass ip from any to any via internal-interface-name'
> > which seems to be common setup, I use the 'via' keyword of ipfw
> > only on anti-spoofing rules at beginning of my ruleset, all other
> > rules are then based on ip-addresses only).
> >
> > The setup above creates two dynamic rules when packets are
> > going thru. One maches the packet before nat and one after.
>
> in your example, how have you setup your NAT divert statement? are you
using any "fwd" statements in conjunction? i'm asking in relation to my
_other_post:
My divert statement is very much like in the standard /etc/rc.firewall.
Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?03ef01c44930$9f0ddc00$2508473e>