From owner-freebsd-questions@FreeBSD.ORG  Fri Oct 17 19:24:00 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 057EB1065698
	for <freebsd-questions@freebsd.org>;
	Fri, 17 Oct 2008 19:24:00 +0000 (UTC)
	(envelope-from xuchen@brandeis.edu)
Received: from clara.unet.brandeis.edu (clara.unet.brandeis.edu
	[129.64.99.165])
	by mx1.freebsd.org (Postfix) with ESMTP id D02CC8FC1D
	for <freebsd-questions@freebsd.org>;
	Fri, 17 Oct 2008 19:23:59 +0000 (UTC)
	(envelope-from xuchen@brandeis.edu)
Received: from localhost (selene.rose2.brandeis.edu [129.64.33.166])
	by clara.unet.brandeis.edu (Postfix) with ESMTP id AB1355250E;
	Fri, 17 Oct 2008 15:03:17 -0400 (EDT)
Date: Fri, 17 Oct 2008 15:03:18 -0400
From: Chen Xu <xuchen@brandeis.edu>
To: Christer Hermansson <mail@chdevelopment.se>
Message-ID: <20081017190318.GC22709@brandeis.edu>
References: <184b087c0810141105o657af770l5d0535c19fab059d@mail.gmail.com>
	<48F8DF53.9090506@chdevelopment.se>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <48F8DF53.9090506@chdevelopment.se>
Organization: Rosenstiel Center, Brandeis University, 415 South Street,
	Waltham, MA 02454
Phone: 781-736-2469
FAX: 781-736-2419
User-Agent: Mutt/1.5.15 (2007-04-06)
Cc: freebsd-questions@freebsd.org
Subject: Re: no access to web server behind ipfw
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Oct 2008 19:24:00 -0000

Hi Christer,

I followed the example from the handbook. Yes, it is OK to divert in and
out separately. skipto is used to point to the divert out rule number
when it is outbound. 

I run into problem only when with natd to redirect from gateway to local
machine. tcpdump shows that packets of both directions are actually go
through fine, but only head is there, body was ripped off. I am looking
into OpenBSD's PF right now. It is such a simple goal to reach but seems
not so easy. 

-Chen

* Christer Hermansson <mail@chdevelopment.se> [081017 14:54]:
>  Chen Xu wrote:
> > $cmd 100 divert natd ip from any to any in via $pif
> > $cmd 101 check-state
> >
> >
> >   
>  You use "in via $pif", I'm not 100% sure but I think you should only use 
>  "via $pif".
> > # Authorized inbound packets
> > $cmd 421 allow tcp from any to 192.168.1.10 80 in via $pif setup limit
> > src-addr 5
> >
> >
> >   
>  I think it's bad to use statefull rules for inbound connections.
> 
>  -- 
> 
>  Christer Hermansson
> 
>  http://www.chdevelopment.se
> 
>