From owner-freebsd-questions  Thu Dec 20 18:55:12 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from harrier.prod.itd.earthlink.net (harrier.mail.pas.earthlink.net [207.217.120.12])
	by hub.freebsd.org (Postfix) with ESMTP id D338437B417
	for <freebsd-questions@freebsd.org>; Thu, 20 Dec 2001 18:55:03 -0800 (PST)
Received: from sdn-ar-002flnaplp125.dialsprint.net ([168.191.86.189] helo=gohan.cjclark.org)
	by harrier.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 16HFps-00002W-00; Thu, 20 Dec 2001 18:55:01 -0800
Received: (from cjc@localhost)
	by gohan.cjclark.org (8.11.6/8.11.1) id fBK49qM01750;
	Wed, 19 Dec 2001 23:09:52 -0500 (EST)
	(envelope-from cjc)
Date: Wed, 19 Dec 2001 23:09:51 -0500
From: "Crist J. Clark" <cristjc@earthlink.net>
To: slack@suntop-cn.com
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: about ipfw
Message-ID: <20011219230951.A1664@gohan.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <3C201B38.28785.6DBD8F@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3C201B38.28785.6DBD8F@localhost>; from slack@suntop-cn.com on Wed, Dec 19, 2001 at 04:44:40AM +0800
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Wed, Dec 19, 2001 at 04:44:40AM +0800, slack@suntop-cn.com wrote:
> 1. can ipfw do a TCP keep-state ?

Yep.

> 2. how keep-state combine with "via interface" ?
> 3. this ipfw rules don't work: why ?
> ipfw add pass all any to any via lo

You mean 'lo0'.

> ipfw add pass all any to any via ${iif}
> ipfw add divert natd all from any to any via ${oif}
> # Allow TCP through if setup succeeded
> ipfw add check-state
> ${fwcmd} add deny tcp from any to any established

As for why your outgoing TCP doesn't work, imagine an outgoing SYN,

  priv_address -> remote

Going from an internal machine, priv_address, to a remote machine on
the Internet, remote. It goes through natd(8),

  pub_address -> remote

And then finally passes the keep-state rule, which creates a dynamic
rule for,

  pub_address -> remote

(The state also includes the ports, but is not important for this
example). The remote machine responds,

  remote -> pub_address

The packet goes through natd(8),

  remote -> priv_address

It gets to the check-state rule, _and this packet does not match any,_
so the packet falls on down to the next rule which it matches and it
is dropped.
-- 
"It's always funny until someone gets hurt. Then it's hilarious."

Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message