From owner-freebsd-ipfw Tue Feb 11 5:53:49 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC1D837B401 for ; Tue, 11 Feb 2003 05:53:46 -0800 (PST) Received: from rumba.wu-wien.ac.at (rumba.wu-wien.ac.at [137.208.3.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B17443FAF for ; Tue, 11 Feb 2003 05:53:45 -0800 (PST) (envelope-from georg-ipfw@graf.priv.at) Received: from schurli.wu-wien.ac.at (schurli.wu-wien.ac.at [137.208.16.32]) by rumba.wu-wien.ac.at (8.12.6/8.12.6) with SMTP id h1BDrhck005827 for ; Tue, 11 Feb 2003 14:53:43 +0100 (CET) (envelope-from georg-ipfw@graf.priv.at) Received: (qmail 30731 invoked by uid 1001); 11 Feb 2003 13:53:43 -0000 Date: Tue, 11 Feb 2003 14:53:43 +0100 From: Georg Graf To: freebsd-ipfw@freebsd.org Subject: IPFW/NATD works (Was: Re: Error in ipfw manpage for stateful rules?) Message-ID: <20030211135343.GD29498@graf.priv.at> Mail-Followup-To: Georg Graf , freebsd-ipfw@freebsd.org References: <200301301630.19610.will@unfoldings.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-WU-uvscan-status: clean v4.1.60/v4246 rumba 11167b3104a53ff539d21518e598895f Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Jan 31, 2003 at 12:43:10AM +0000, AMAKAWA Shuhei wrote: [...] > > That keep-state rules do not function correctly in IPFW/NATD. > > not true A proof in 3 lines that it works: ipfw add 20 divert natd log logamount 0 all from any to any via bge0 ipfw add 40 allow log logamount 0 ip from 192.168.77.0/24 to any keep-state ipfw add 50 allow log logamount 0 ip from 137.208.120.10 to any keep-state . . . 65535 deny ip from any to any bge0 ist the world (outside) interface, where natd runs on. 137.208.120.10 is the public IP of the machine. 192.168.77.0/24 is the natted LAN. 137.208.16.32 is just a host on the Internet. The machine is completely invisible to the outside world, but provides full connectivity for the internal LAN and itself! Here are some snapshots what happens within this ruleset: ping from 192.168.77.12 to 137.208.16.32 /kernel: ipfw: 40 Accept ICMP:8.0 192.168.77.12 137.208.16.32 in via vlan998 /kernel: ipfw: 20 Divert 8668 ICMP:8.0 192.168.77.12 137.208.16.32 out via bge0 /kernel: ipfw: 50 Accept ICMP:8.0 137.208.120.10 137.208.16.32 out via bge0 (at this time: dynamic rules:) 00040 0 0 (T 3, slot 208) <-> icmp, 192.168.77.12 0<-> 137.208.16.32 0 00050 0 0 (T 3, slot 214) <-> icmp, 137.208.120.10 0<-> 137.208.16.32 0 reply from 137.208.16.32: /kernel: ipfw: 20 Divert 8668 ICMP:0.0 137.208.16.32 137.208.120.10 in via bge0 /kernel: ipfw: 40 Accept ICMP:0.0 137.208.16.32 192.168.77.12 in via bge0 /kernel: ipfw: 40 Accept ICMP:0.0 137.208.16.32 192.168.77.12 out via vlan998 ping from 137.208.120.10 to 137.208.16.32: /kernel: ipfw: 20 Divert 8668 ICMP:8.0 137.208.120.10 137.208.16.32 out via bge0 /kernel: ipfw: 50 Accept ICMP:8.0 137.208.120.10 137.208.16.32 out via bge0 (at this time: dynamic rules:) ## Dynamic rules: 00050 0 0 (T 2, slot 214) <-> icmp, 137.208.120.10 0<-> 137.208.16.32 0 reply from 137.208.16.32 /kernel: ipfw: 20 Divert 8668 ICMP:0.0 137.208.16.32 137.208.120.10 in via bge0 /kernel: ipfw: 50 Accept ICMP:0.0 137.208.16.32 137.208.120.10 in via bge0 Between 20 and 40 there is space to insert accept rules for other allowed things, like icmp or services the gateway host provides to the Internet or a limited set of "friends" on the Internet or for routing between more than one private subnets. I have to admit that this 3-line set is not the most performance-friendly way to do it. -- Georg Graf http://georg.graf.priv.at/ PGP Key ID: 0xA5232AD5 Gobergasse 43/2 A-1130 Wien Tel: +43 1 8796723 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message