Date: Wed, 11 Jun 2003 11:05:00 +0100 From: Subscriber <subscriber@insignia.com> To: freebsd-security@freebsd.org Subject: IPFW: combining "divert natd" with "keep-state" Message-ID: <2F03DF3DDE57D411AFF4009027B8C36704129AE8@exchange-uk.isltd.insignia.com>
index | next in thread | raw e-mail
I've been using ipfw for a while to create a router with NAT and packet filtering, but have never combined it with stateful filtering, instead using things like "established" to accept incoming TCP packets which are part of a conversation initiated from the "inside". I'd like to move to using keep-state/check-state to get tighter filtering and also to allow outgoing UDP and the replies, which currently I block. But I just can't get my head around how to do this. On the way out, should the dynamic rules be created to match the pre-NAT or post-NAT packets? The man pages are good at explaining both NAT and dynamic rules but not both in combination. Jim Hatfieldhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F03DF3DDE57D411AFF4009027B8C36704129AE8>