From owner-freebsd-net Fri Feb 15 15: 3:22 2002 Delivered-To: freebsd-net@freebsd.org Received: from ns1.infowest.com (ns1.infowest.com [204.17.177.10]) by hub.freebsd.org (Postfix) with ESMTP id 2979637B405 for ; Fri, 15 Feb 2002 15:03:17 -0800 (PST) Received: from there (eq.net [208.186.104.163]) by ns1.infowest.com (Postfix) with SMTP id B0CB52159D; Fri, 15 Feb 2002 16:03:16 -0700 (MST) Content-Type: text/plain; charset="iso-8859-1" From: "Aaron D. Gifford" To: freebsd-net@freebsd.org Subject: Re: Bug in stateful code? Date: Fri, 15 Feb 2002 16:03:16 -0700 X-Mailer: KMail [version 1.3.2] Cc: drwilco@drwilco.net MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <20020215230316.B0CB52159D@ns1.infowest.com> Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Rogier R. Mulhuijzen" (drwilco@drwilco.net) was heard to say: >>>the reply was that keep-state and natd are very hard to use >>>together, and besides it is rather useless because natd is stateful >>>by itself. >>natd is stateful, but provides no protection for inbound IP traffic >>that is destined for the filtering host itself. > >I have personally looked at natd & stateful ipfw rules, and have concluded >that it logically impossible to get it to work. > >Thus I made a ipfw rulelist that utilizes the statefulness of natd. I hope >this helps you in making your own rulelist. > Actually you CAN use both together, but there's really no reason to do so. One would be duplicating things, since NAT is effectively a stateful filter of sorts. One just has to think things through very carefully, following the flow of packets through the ruleset. My own ruleset I use at home shares some similarities with your set, Rogier. For NAT traffic, I don't use stateful rules -- I let NAT track the state, but for traffic to/from my gateway host, I still use stateful rules. But, the way my ruleset is written, I could drop stateful rules in for the NAT traffic without a hitch. But it would be wasted duplication of effort for the most part. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message