From owner-freebsd-questions@FreeBSD.ORG Thu Feb 26 05:57:06 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28C8516A4CF for ; Thu, 26 Feb 2004 05:57:06 -0800 (PST) Received: from mta9.adelphia.net (mta9.adelphia.net [68.168.78.199]) by mx1.FreeBSD.org (Postfix) with ESMTP id C2DE443D2D for ; Thu, 26 Feb 2004 05:57:05 -0800 (PST) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.119]) by mta9.adelphia.net (InterMail vM.5.01.06.05 201-253-122-130-105-20030824) with SMTP id <20040226135705.BXNU25917.mta9.adelphia.net@barbish>; Thu, 26 Feb 2004 08:57:05 -0500 From: "JJB" To: "Mihai Marie" , Date: Thu, 26 Feb 2004 08:57:05 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <004f01c3fc40$3a9dea40$37726050@mihai> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: RE: stateful firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Feb 2004 13:57:06 -0000 You have run into the IPFW legacy divert/nated subroutine bug. IPFW stateful rules and divert/nate do not work together. IPFW stateful rules only work in non-NATed environment. You need to use IPFILTER/IPNAT the other firewall software application which is built into FBSD. The FBSD handbook does not even tell you that FBSD has more than one firewall. Smart move to want an stateful firewall they provide the max in protection. see, http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1 http://coombs.anu.edu.au/~avalon/ip-filter.html To see the FAQ http://www.phildev.net/ipf/index.html I use ipfilter and do exactly what you want. IF you want copy of my rules let me know. As of July 2003 the OpenBSD firewall software application named PF was ported to FBSD. It's scheduled to become the third firewall software application delivered with the FBSD install with the next stable production release. You can find it in the FBSD ports collection here http://www.freebsd.org/cgi/ports.cgi?query=pf&stype=all&release=4.9- STABLE%2Fi386 More Info can be found here http://pf4freebsd.love2party.net/index.html -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Mihai Marie Sent: Thursday, February 26, 2004 3:12 AM To: freebsd-questions@freebsd.org Subject: stateful firewall Hello, I want to setup a firewall (on my LAN's gateway) so that the only traffic that pass through is the one initiated from my local network (we have public IP's). My firewall looks like this ipfw add check-state ipfw add deny tcp from any to any established ipfw add allow tcp from $my_lan to any setup keep-state The problems appear when I want to make some ftp traffic with a server that is outside (or any other traffic that tries to open a new separated connection in relation with the one initiated from our LAN). With iptables (in redhat) you can do: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT but I don't know how can I do something like this using ipfw or another firewall on FreeBSD. Any help would be appreciated, Mihai Marie _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"