Date: 06 Dec 2002 01:41:47 +0800 From: Khairil Yusof <kaeru@pd.jaring.my> To: questions@FreeBSD.org Subject: natd + ipfw2 + dynamic rules Message-ID: <1039109643.451.46.camel@daemon>
next in thread | raw e-mail | index | archive | help
--=-YVzzBDxu7wglWhsJbhjM Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I just tracked down, that having the line: add divert natd all from any to any via tun0 No longer works (used to work with ipfw) man page says this: According to man, packets diverted to userland and reinserted lose their attributes. The following rules work: allow icmp from any to any allow udp from any to 161.142.1.17 53 via tun0=20 allow udp from 161.142.1.17 53 to any via tun0=20 But stateful rules like below don't: add allow tcp from any to any out xmit tun0 setup=20 add allow tcp from any to any via tun0 established add allow udp from any to 61.6.32.62 123 keep-state So, does this mean that a tcp packet goes out sets up a dynamic rule before going out via natd. But coming in.. it is diverted via natd, loses some info about state, and doesn't get passed through any rules? For the tcp dynamic rules,=20 10 packets get diverted by natd rule 5 packets match the tcp rule via tun0 setup 0 packets are denied by the last deny all rule. What happened to the packets that are supposed to be coming in via the setup rule? What's the proper way to do natd with ipfw2? So far, it's the only problem with my recent testing of current :(. As a relative newbie, updating from src was painless.=20 So it looks like it will be a pretty smooth upgrade for FreeBSD 5.0. It's amazing how well the FreeBSD team does things. Any help much appreciated as always. --=20 Khairil Yusof <kaeru@pd.jaring.my> --=-YVzzBDxu7wglWhsJbhjM Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQA9744LDAqnLW/+/X8RAlt1AKCiy5LeIdZmZ99vKpNSkRULOtkP3gCg0EPH B84+HQzzR7H4LvuVciK4QJQ= =buEZ -----END PGP SIGNATURE----- --=-YVzzBDxu7wglWhsJbhjM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1039109643.451.46.camel>