From owner-freebsd-ipfw  Sat Aug  3 18:17: 3 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8215937B400; Sat,  3 Aug 2002 18:17:01 -0700 (PDT)
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 9D59B43E3B; Sat,  3 Aug 2002 18:17:00 -0700 (PDT)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g741rBf28592;
	Sat, 3 Aug 2002 20:53:11 -0500 (CDT)
	(envelope-from nick@rogness.net)
Date: Sat, 3 Aug 2002 20:53:10 -0500 (CDT)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: cjclark@alum.mit.edu
Cc: Joe & Fhe Barbish <barbish@a1poweruser.com>,
	FBIPFW <freebsd-ipfw@FreeBSD.ORG>, archie@whistle.com,
	cmott@scientech.com, perhaps@yes.no, suutari@iki.fi,
	dnelson@redwoodsoft.com, brian@awfulhak.org, ru@FreeBSD.ORG,
	rizzo@icir.org
Subject: Re: natd & keep-state
In-Reply-To: <20020803212854.GA55652@blossom.cjclark.org>
Message-ID: <Pine.BSF.4.21.0208032039350.28420-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

On Sat, 3 Aug 2002, Crist J. Clark wrote:

[SNIP]
> Fine, whatever. But the ipfw(8) and natd(8) developers seem to hold
> the same opinion. Maybe if you proposed some possible way for natd(8)
> and 'keep-state' rules to work well together someone could do it.

	FWIW, you can modify the behavior of "check-state" to "JUMP TO
	RULE NUMBER XXX on stateful match" and solve most of the problems
	associated with natd & stateful inspection.  Right now,
	if check-state finds a match it stops...we need it to optionally
	JUMP_TO RULE XXX.  Kinda like "skipto" functionality.

	I talked to Luigi about this and he didn't understand what I 
	meant (which is my fault).  But I believe the concept is still
	sound.


Nick Rogness <nick@rogness.net>
 - Don't mind me...I'm just sniffing your packets



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message