From owner-freebsd-questions  Tue Jul  2 23:52:34 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 267D337B401
	for <questions@FreeBSD.org>; Tue,  2 Jul 2002 23:52:31 -0700 (PDT)
Received: from stanley.e-technik.uni-erlangen.de (stanley.e-technik.uni-erlangen.de [131.188.137.28])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9302A43E0A
	for <questions@FreeBSD.org>; Tue,  2 Jul 2002 23:52:19 -0700 (PDT)
	(envelope-from tfie@lrs.e-technik.uni-erlangen.de)
Received: from lrs.e-technik.uni-erlangen.de (brian.e-technik.uni-erlangen.de [131.188.137.10])
	by stanley.e-technik.uni-erlangen.de (8.9.1a/8.1.1-FAU) with ESMTP id IAA20906
	for <questions@FreeBSD.org>; Wed, 3 Jul 2002 08:52:03 +0200 (MET DST)
Message-ID: <3D229F13.986F458B@lrs.e-technik.uni-erlangen.de>
Date: Wed, 03 Jul 2002 08:52:03 +0200
From: Thomas Fiebig <tfie@lrs.e-technik.uni-erlangen.de>
Organization: Institute for Computer Aided Circuit Design
X-Mailer: Mozilla 4.79 [en] (X11; U; SunOS 5.6 sun4u)
X-Accept-Language: en
MIME-Version: 1.0
To: questions@FreeBSD.org
Subject: Firewall dynamic rules and NAT
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hi,

I'm installing a firewall for my private network with one machine playing the
role of the firewall. Now I have installed NAT to go to the internet with the
dynamically assigned IP of my ISP.

Following the instructions in 'man ipfw', I want to allow just outgoing internet
access and I want to use dynamic rules for that, as suggested in the man page
(check-state, deny established, setup keep-state, etc.).

But that doesn't work. The 3-Way handshake stops after the backsend packet from
the site I called. This packed is dropped by the established rule. So it seems
to me as if there is not installed a dynamic rule with my first packet sent
(setup keep-state rule), so the check-state rule is not used and the second
packet is dropped.

Is it possible, that the network address translation and therefore my divert
rule (one of the first rules in my ruleset) are disturbing the setup of dynamic
rules?

Thank you,
Thomas

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message