Date: Wed, 19 Dec 2001 23:09:51 -0500 From: "Crist J. Clark" <cristjc@earthlink.net> To: slack@suntop-cn.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: about ipfw Message-ID: <20011219230951.A1664@gohan.cjclark.org> In-Reply-To: <3C201B38.28785.6DBD8F@localhost>; from slack@suntop-cn.com on Wed, Dec 19, 2001 at 04:44:40AM %2B0800 References: <3C201B38.28785.6DBD8F@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Dec 19, 2001 at 04:44:40AM +0800, slack@suntop-cn.com wrote:
> 1. can ipfw do a TCP keep-state ?
Yep.
> 2. how keep-state combine with "via interface" ?
> 3. this ipfw rules don't work: why ?
> ipfw add pass all any to any via lo
You mean 'lo0'.
> ipfw add pass all any to any via ${iif}
> ipfw add divert natd all from any to any via ${oif}
> # Allow TCP through if setup succeeded
> ipfw add check-state
> ${fwcmd} add deny tcp from any to any established
As for why your outgoing TCP doesn't work, imagine an outgoing SYN,
priv_address -> remote
Going from an internal machine, priv_address, to a remote machine on
the Internet, remote. It goes through natd(8),
pub_address -> remote
And then finally passes the keep-state rule, which creates a dynamic
rule for,
pub_address -> remote
(The state also includes the ports, but is not important for this
example). The remote machine responds,
remote -> pub_address
The packet goes through natd(8),
remote -> priv_address
It gets to the check-state rule, _and this packet does not match any,_
so the packet falls on down to the next rule which it matches and it
is dropped.
--
"It's always funny until someone gets hurt. Then it's hilarious."
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011219230951.A1664>