From owner-freebsd-ipfw@FreeBSD.ORG  Fri Jun  4 05:35:33 2004
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 083C516A4CE
	for <freebsd-ipfw@freebsd.org>; Fri,  4 Jun 2004 05:35:33 -0700 (PDT)
Received: from mail014.syd.optusnet.com.au (mail014.syd.optusnet.com.au
	[211.29.132.160])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 687C943D3F
	for <freebsd-ipfw@freebsd.org>; Fri,  4 Jun 2004 05:35:31 -0700 (PDT)
	(envelope-from tfrank@optushome.com.au)
Received: from marvin.home.local (c211-28-252-96.eburwd5.vic.optusnet.com.au
	[211.28.252.96])i54CZJ704034;	Fri, 4 Jun 2004 22:35:19 +1000
Received: by marvin.home.local (Postfix, from userid 1001)
	id 6C0CD1FBC6; Fri,  4 Jun 2004 22:35:18 +1000 (EST)
Date: Fri, 4 Jun 2004 22:35:18 +1000
From: Tony Frank <tfrank@optushome.com.au>
To: JJB <Barbish3@adelphia.net>
Message-ID: <20040604123518.GB51783@marvin.home.local>
References: <20040602154140.A17902@xorpc.icir.org>
	<MIEPLLIBMLEEABPDBIEGOEGNGAAA.Barbish3@adelphia.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <MIEPLLIBMLEEABPDBIEGOEGNGAAA.Barbish3@adelphia.net>
User-Agent: Mutt/1.4.2.1i
cc: Luigi Rizzo <rizzo@icir.org>
cc: freebsd-ipfw <freebsd-ipfw@freebsd.org>
cc: OpenMacNews <freebsd-ipfw.20.openmacews@spamgourmet.com>
Subject: Re: does NATd _prevent_ use of stateful ipfw rules w/ keep-state?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jun 2004 12:35:33 -0000

Hi there,

On Wed, Jun 02, 2004 at 08:39:16PM -0400, JJB wrote:
> Luigi, Your statement is very generic and so easy to make, when
> there is no proof given to back it up. There is no documentation
> that backs up your statement that says that stateful rules will work
> in an nated environment. 

I think the standard rc.firewall sample scripts show this behaviour
as working.

> Better yet, here is an stateful rule set
> that works with no lan behind the firewall machine. I would like to
> see just how you would change it to get it to work in an nated
> environment. I think once you start trying to get it to work you
> will come to realize the problem ipfw has using stateful rules in an
> nated environment first hand. 

If you have no lan behind the firewall, why do you want to run NAT?
Perhaps I have misunderstood your statement?

> The problem is the content of the
> dynamic table is always different no matter where you position the
> divert rule in the rule set which causes the dynamic table content
> to never match.

Yes, this is an issue, hence correct building/ordering of ipfw rules 
is critical.

[...full firewall ruleset removed ...]

I think in your example I would add:

$cmd 000014 divert natd all from any to any via $outside_if

This would be placed before the ipfw check-state rule.

Also your inbound rules probably need some 'keep-state' entries to work?

Regards,

Tony