From owner-freebsd-questions Thu Feb 22 8:14:27 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 3E96537B401 for ; Thu, 22 Feb 2001 08:14:25 -0800 (PST) (envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Thu, 22 Feb 2001 08:12:15 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f1MGDHp93364; Thu, 22 Feb 2001 08:13:17 -0800 (PST) (envelope-from cjc) Date: Thu, 22 Feb 2001 08:12:56 -0800 From: "Crist J. Clark" To: "Michael J. Turner" Cc: greg@nova.fqdn.com, freebsd-questions@FreeBSD.ORG, greg@fqdn.com Subject: Re: NAT and keep-state issue. Message-ID: <20010222081256.I89396@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <200102212004.PAA42475@nova.fqdn.com> <20010222001834.D89396@rfx-216-196-73-168.users.reflex> <005701c09cc6$8c057740$0204a8c0@daimon> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <005701c09cc6$8c057740$0204a8c0@daimon>; from mike@inethouston.net on Thu, Feb 22, 2001 at 05:56:51AM -0600 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Feb 22, 2001 at 05:56:51AM -0600, Michael J. Turner wrote: > I am having the same problem with natd and ipfw, the fact that you have > to "allow all from any to any" for nat to work is ridiculous, Yes, it would. Fortunately, it is not the case. > also the > dynamic > rules factory. Anyhow the only way I think I can solve the problem is to > move > ipnat and ipf. My natd(8) and dynamic rules work fine. Excerpts from the firewall rules, 10000 divert 8668 ip from any to any via ${oif} 10100 check-state 10200 allow tcp from ${oip} to any keep-state out xmit ${oif} 20000 deny udp from any 137-138 to ${obc} 137-138 in recv ${oif} 20100 allow udp from ${oip} to any keep-state out xmit ${oif} 20200 allow icmp from ${oip} to any keep-state out xmit ${oif} 20300 allow ip from ${oip} to any keep-state out xmit ${oif} 20400 allow icmp from any to any icmptype 0,3,11 20500 allow ip from ${inet} to ${iip} in recv ${iif} 20600 allow ip from ${iip} to ${inet} out xmit ${iif} 20700 allow ip from ${inet} to any keep-state in recv ${iif} For example, I just pinged freebsd.org from a machine on the internal net, ## Dynamic rules: 20700 9 756 (T 56, # 12) ty 0 icmp, 192.168.AAA.30 0 <-> 216.136.204.18 0 20200 3 252 (T 56, # 186) ty 0 icmp, BBB.CCC.DDD.EEE 0 <-> 216.136.204.18 0 -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message