From owner-freebsd-security@FreeBSD.ORG  Thu Jun 12 05:00:22 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 89C0E37B401
	for <freebsd-security@freebsd.org>;
	Thu, 12 Jun 2003 05:00:22 -0700 (PDT)
Received: from highland.isltd.insignia.com (highland.isltd.insignia.com
	[195.74.141.1])	by mx1.FreeBSD.org (Postfix) with ESMTP id 4D75A43F75
	for <freebsd-security@freebsd.org>;
	Thu, 12 Jun 2003 05:00:21 -0700 (PDT)
	(envelope-from subscriber@insignia.com)
Received: from dailuaine.isltd.insignia.com (dailuaine.isltd.insignia.com
	[172.16.64.11])h5CC0Jld001186	for <freebsd-security@freebsd.org>;
	Thu, 12 Jun 2003 13:00:19 +0100 (BST)
	(envelope-from subscriber@insignia.com)
Received: from exchange-uk.isltd.insignia.com (exchange-uk [172.16.64.9])
	h5CC0JD0044143	for <freebsd-security@freebsd.org>;
	Thu, 12 Jun 2003 13:00:19 +0100 (BST)
	(envelope-from subscriber@insignia.com)
Received: by exchange-uk.isltd.insignia.com with Internet Mail Service
	(5.5.2653.19)	id <MQ7V1JB8>; Thu, 12 Jun 2003 13:00:19 +0100
Message-ID: <2F03DF3DDE57D411AFF4009027B8C36704129AE9@exchange-uk.isltd.insignia.com>
From: Subscriber <subscriber@insignia.com>
To: "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org>
Date: Thu, 12 Jun 2003 13:00:18 +0100
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
	charset="iso-8859-1"
X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang)
Subject: RE: IPFW: combining "divert natd" with "keep-state"
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Jun 2003 12:00:22 -0000

> -----Original Message-----
> From: Greg Panula [mailto:greg.panula@dolaninformation.com]
> Sent: 11 June 2003 13:21
> To: Subscriber
> Cc: freebsd-security@freebsd.org
> Subject: Re: IPFW: combining "divert natd" with "keep-state"
> 
> ## Example ##
> fxp0 = external nic
> xl0 = internal nic
> internal network = 10.10.10.0/24
> internal traffic NAT'd to 1.2.3.4
> 
> ## handle nat traffic
> 100 divert 8668 ip from 10.10.10.0/24 to any out via fxp0
> 200 divert 8668 ip from any to 1.2.3.4 in via fxp0
> 
> 300 check-state
> 
> ## dynamic rules for internal clients access to everything
> ## needed so un-nat'd return traffic can flow out the 
> ## internal nic to the internal clients
> 400 allow tcp from 10.10.10.0/24 to any keep-state via xl0
> 500 allow udp from 10.10.10.0/24 to any keep-state via xl0

Thanks, for some reason I was fixated on putting all
the rules on the external interface and having
pass all from any to any via xl0
as the first rule in the list.

I'll give this a go.
Jim