From owner-freebsd-questions Wed Feb 21 12:17: 7 2001 Delivered-To: freebsd-questions@freebsd.org Received: from nova.fqdn.com (fqdn.com [204.138.49.210]) by hub.freebsd.org (Postfix) with ESMTP id E332A37B401 for ; Wed, 21 Feb 2001 12:17:03 -0800 (PST) (envelope-from greg@nova.fqdn.com) Received: (from greg@localhost) by nova.fqdn.com (SGI-8.9.3/8.9.3) id PAA42475; Wed, 21 Feb 2001 15:04:52 -0500 (EST) From: greg@nova.fqdn.com Message-Id: <200102212004.PAA42475@nova.fqdn.com> Subject: NAT and keep-state issue. To: freebsd-questions@freebsd.org Date: Wed, 21 Feb 2001 15:04:44 -0500 (EST) Cc: greg@fqdn.com X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, I'm trying to resolve an issue with my ipfw rules using NAT and the keep-state options. When I do not use keep-state and use 'allow established' all works well. When I remove 'allow established" and add keep state to out bound connections that are NAT'd, it stops working. I think this is because packets returning from the internet are translated, so the internal dest IP is swapped in. This fails as there isn't a dynamic rule to match. The rule created with the outbound connection would create a rule with the alias'd IP and dest IP. Returning packets would be checked by the rules after the IP swap has happened. Am I missing something here or is there a trick? Any help would be great. Thanks much. greg Here is the output of ipfw -a list. 222.222.222.222 is the external interface that faces the Internet. 333.333.333.333 is the ftp server I'm trying to reach. (or web both act the same) 192.168.50.50 is the internal proxy server where all connections heading out to the Internet orginate from. I've changed the IPs. 00500 391 30606 deny udp from any 137 to any 00502 289 69180 deny udp from any 138 to any 01040 0 0 allow ip from any to any via lo0 01050 0 0 deny ip from any to 127.0.0.0/8 01060 2969 3314153 divert 8668 tcp from any to any via fxp0 02055 456 18248 allow tcp from 222.222.222.222 1025-65000 to any 1025-65000 keep-state setup 02060 118 5192 allow tcp from any to any 20-21 keep-state setup 02070 2 88 allow tcp from 192.168.50.50 to any in recv xl0 setup 03030 149 8276 deny log logamount 100 ip from any to any in recv fxp0 03040 0 0 deny log logamount 100 ip from any to any in recv fxp1 03050 1250 155979 deny log logamount 100 ip from any to any in recv xl0 09000 72 2888 deny log logamount 100 ip from any to any 65535 0 0 deny ip from any to any ## Dynamic rules: 02055 3 120 (T 0, # 28) ty 0 tcp, 222.222.222.222 2018 <-> 333.333.333.333 51962 02060 12 606 (T 7, # 50) ty 0 tcp, 222.222.222.222 2083 <-> 333.333.333.333 21 02060 12 606 (T 11, # 52) ty 0 tcp, 222.222.222.222 2085 <-> 333.333.333.333 21 02060 1 40 (T 17, # 54) ty 0 tcp, 222.222.222.222 2087 <-> 333.333.333.333 21 02055 3 120 (T 0, # 62) ty 0 tcp, 222.222.222.222 2036 <-> 333.333.333.333 33998 02055 3 120 (T 0, # 74) ty 0 tcp, 222.222.222.222 2039 <-> 333.333.333.333 46521 02055 3 120 (T 0, # 116) ty 0 tcp, 222.222.222.222 2041 <-> 333.333.333.333 49033 02055 2 88 (T 20, # 117) ty 0 tcp, 222.222.222.222 2086 <-> 333.333.333.333 52311 02055 2 88 (T 16, # 125) ty 0 tcp, 222.222.222.222 2084 <-> 333.333.333.333 48733 02060 38 5690 (T 291, # 152) ty 0 tcp, 192.168.50.50 2085 <-> 333.333.333.333 21 02060 5 364 (T 300, # 154) ty 0 tcp, 192.168.50.50 2087 <-> 333.333.333.333 21 02060 38 5690 (T 287, # 158) ty 0 tcp, 192.168.50.50 2083 <-> 333.333.333.333 21 02055 1007 40280 (T 0, # 204) ty 0 tcp, 222.222.222.222 2038 <-> 333.333.333.333 11582 02055 255 10200 (T 0, # 205) ty 0 tcp, 222.222.222.222 2068 <-> 333.333.333.333 42717 thanks so much for your time. greg . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message