From owner-freebsd-questions Thu Dec 5 9:42:34 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A452837B401 for ; Thu, 5 Dec 2002 09:42:32 -0800 (PST) Received: from smtp8.jaring.my (smtp8.jaring.my [61.6.32.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6673043ECD for ; Thu, 5 Dec 2002 09:42:31 -0800 (PST) (envelope-from kaeru@pd.jaring.my) Received: from [61.6.121.35] (j21.crc32.jaring.my [61.6.121.35]) by smtp8.jaring.my (8.12.6/8.12.6) with ESMTP id gB5HgIsW005008 for ; Fri, 6 Dec 2002 01:42:20 +0800 (MYT) (envelope-from kaeru@pd.jaring.my) Subject: natd + ipfw2 + dynamic rules From: Khairil Yusof To: questions@FreeBSD.org Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-YVzzBDxu7wglWhsJbhjM" Organization: Message-Id: <1039109643.451.46.camel@daemon> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.0 Date: 06 Dec 2002 01:41:47 +0800 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --=-YVzzBDxu7wglWhsJbhjM Content-Type: text/plain Content-Transfer-Encoding: quoted-printable I just tracked down, that having the line: add divert natd all from any to any via tun0 No longer works (used to work with ipfw) man page says this: According to man, packets diverted to userland and reinserted lose their attributes. The following rules work: allow icmp from any to any allow udp from any to 161.142.1.17 53 via tun0=20 allow udp from 161.142.1.17 53 to any via tun0=20 But stateful rules like below don't: add allow tcp from any to any out xmit tun0 setup=20 add allow tcp from any to any via tun0 established add allow udp from any to 61.6.32.62 123 keep-state So, does this mean that a tcp packet goes out sets up a dynamic rule before going out via natd. But coming in.. it is diverted via natd, loses some info about state, and doesn't get passed through any rules? For the tcp dynamic rules,=20 10 packets get diverted by natd rule 5 packets match the tcp rule via tun0 setup 0 packets are denied by the last deny all rule. What happened to the packets that are supposed to be coming in via the setup rule? What's the proper way to do natd with ipfw2? So far, it's the only problem with my recent testing of current :(. As a relative newbie, updating from src was painless.=20 So it looks like it will be a pretty smooth upgrade for FreeBSD 5.0. It's amazing how well the FreeBSD team does things. Any help much appreciated as always. --=20 Khairil Yusof --=-YVzzBDxu7wglWhsJbhjM Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQA9744LDAqnLW/+/X8RAlt1AKCiy5LeIdZmZ99vKpNSkRULOtkP3gCg0EPH B84+HQzzR7H4LvuVciK4QJQ= =buEZ -----END PGP SIGNATURE----- --=-YVzzBDxu7wglWhsJbhjM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message