Date: Fri, 4 Jun 2004 22:35:18 +1000 From: Tony Frank <tfrank@optushome.com.au> To: JJB <Barbish3@adelphia.net> Cc: OpenMacNews <freebsd-ipfw.20.openmacews@spamgourmet.com> Subject: Re: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? Message-ID: <20040604123518.GB51783@marvin.home.local> In-Reply-To: <MIEPLLIBMLEEABPDBIEGOEGNGAAA.Barbish3@adelphia.net> References: <20040602154140.A17902@xorpc.icir.org> <MIEPLLIBMLEEABPDBIEGOEGNGAAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi there, On Wed, Jun 02, 2004 at 08:39:16PM -0400, JJB wrote: > Luigi, Your statement is very generic and so easy to make, when > there is no proof given to back it up. There is no documentation > that backs up your statement that says that stateful rules will work > in an nated environment. I think the standard rc.firewall sample scripts show this behaviour as working. > Better yet, here is an stateful rule set > that works with no lan behind the firewall machine. I would like to > see just how you would change it to get it to work in an nated > environment. I think once you start trying to get it to work you > will come to realize the problem ipfw has using stateful rules in an > nated environment first hand. If you have no lan behind the firewall, why do you want to run NAT? Perhaps I have misunderstood your statement? > The problem is the content of the > dynamic table is always different no matter where you position the > divert rule in the rule set which causes the dynamic table content > to never match. Yes, this is an issue, hence correct building/ordering of ipfw rules is critical. [...full firewall ruleset removed ...] I think in your example I would add: $cmd 000014 divert natd all from any to any via $outside_if This would be placed before the ipfw check-state rule. Also your inbound rules probably need some 'keep-state' entries to work? Regards, Tony
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040604123518.GB51783>