Date: Wed, 19 Dec 2001 23:09:51 -0500 From: "Crist J. Clark" <cristjc@earthlink.net> To: slack@suntop-cn.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: about ipfw Message-ID: <20011219230951.A1664@gohan.cjclark.org> In-Reply-To: <3C201B38.28785.6DBD8F@localhost>; from slack@suntop-cn.com on Wed, Dec 19, 2001 at 04:44:40AM %2B0800 References: <3C201B38.28785.6DBD8F@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 19, 2001 at 04:44:40AM +0800, slack@suntop-cn.com wrote: > 1. can ipfw do a TCP keep-state ? Yep. > 2. how keep-state combine with "via interface" ? > 3. this ipfw rules don't work: why ? > ipfw add pass all any to any via lo You mean 'lo0'. > ipfw add pass all any to any via ${iif} > ipfw add divert natd all from any to any via ${oif} > # Allow TCP through if setup succeeded > ipfw add check-state > ${fwcmd} add deny tcp from any to any established As for why your outgoing TCP doesn't work, imagine an outgoing SYN, priv_address -> remote Going from an internal machine, priv_address, to a remote machine on the Internet, remote. It goes through natd(8), pub_address -> remote And then finally passes the keep-state rule, which creates a dynamic rule for, pub_address -> remote (The state also includes the ports, but is not important for this example). The remote machine responds, remote -> pub_address The packet goes through natd(8), remote -> priv_address It gets to the check-state rule, _and this packet does not match any,_ so the packet falls on down to the next rule which it matches and it is dropped. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011219230951.A1664>