Date: Thu, 12 Jun 2003 13:00:18 +0100 From: Subscriber <subscriber@insignia.com> To: "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org> Subject: RE: IPFW: combining "divert natd" with "keep-state" Message-ID: <2F03DF3DDE57D411AFF4009027B8C36704129AE9@exchange-uk.isltd.insignia.com>
next in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Greg Panula [mailto:greg.panula@dolaninformation.com] > Sent: 11 June 2003 13:21 > To: Subscriber > Cc: freebsd-security@freebsd.org > Subject: Re: IPFW: combining "divert natd" with "keep-state" > > ## Example ## > fxp0 = external nic > xl0 = internal nic > internal network = 10.10.10.0/24 > internal traffic NAT'd to 1.2.3.4 > > ## handle nat traffic > 100 divert 8668 ip from 10.10.10.0/24 to any out via fxp0 > 200 divert 8668 ip from any to 1.2.3.4 in via fxp0 > > 300 check-state > > ## dynamic rules for internal clients access to everything > ## needed so un-nat'd return traffic can flow out the > ## internal nic to the internal clients > 400 allow tcp from 10.10.10.0/24 to any keep-state via xl0 > 500 allow udp from 10.10.10.0/24 to any keep-state via xl0 Thanks, for some reason I was fixated on putting all the rules on the external interface and having pass all from any to any via xl0 as the first rule in the list. I'll give this a go. Jim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2F03DF3DDE57D411AFF4009027B8C36704129AE9>