From owner-freebsd-stable Mon Jul 24 7:43:32 2000 Delivered-To: freebsd-stable@freebsd.org Received: from info.iet.unipi.it (info.iet.unipi.it [131.114.9.184]) by hub.freebsd.org (Postfix) with ESMTP id E47F137B719 for ; Mon, 24 Jul 2000 07:43:20 -0700 (PDT) (envelope-from luigi@info.iet.unipi.it) Received: (from luigi@localhost) by info.iet.unipi.it (8.9.3/8.9.3) id QAA74794; Mon, 24 Jul 2000 16:43:54 +0200 (CEST) (envelope-from luigi) From: Luigi Rizzo Message-Id: <200007241443.QAA74794@info.iet.unipi.it> Subject: Re: divert + keep-state In-Reply-To: from "noor@comrax.com" at "Jul 23, 2000 01:24:48 am" To: noor@comrax.com Date: Mon, 24 Jul 2000 16:43:54 +0200 (CEST) Cc: freebsd-stable@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi, you should only use 'keep-state' with "setup" TCP packets, and with UDP. Yes you can have a bit more security but setting up the firewall is a bit trickier. cheers luigi > Hi all, > > I have a FreeBSD box with two NIC's that I use to link our internal > network to the outside network. I use ipfw+natd to do this. The following > is the divert rule: > > add divert 8668 ip from any to any via xl1 > > xl1 is the outer NIC. My question is: can I do the following: > > add check-state > add divert 8668 ip from any to any via xl1 keep-state > > I am trying to keep-state for diverted packets. Is this a better secured > way to divert packets (if it works really), or the first should do it? > > Thanks, > Noor > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message