Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Jul 2002 02:32:14 +0400
From:      boris karlov <borman@blank.spb.ru>
To:        Philip Reynolds <philip.reynolds@rfc-networks.ie>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: 4.6-RELEASE / NATD + IPFW + keep-state
Message-ID:  <20020729223214.GB1488@xy.blank.spb.ru>
In-Reply-To: <20020729144758.A11849@rfc-networks.ie>
References:  <20020729144758.A11849@rfc-networks.ie>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Mon, 29 Jul 2002 14:47:58 +0000, Philip Reynolds <philip.reynolds@rfc-networks.ie> wrote:
> 
>     divert 8668 ip from any to any

-- mb, divert 8668 ip from any to any via xl0?

>     check-state
>     allow ip from 10.0.1.0/24 to 10.0.1.0/24 via xl1
>     allow tcp from any to not 10.0.1.0/24 22 keep-state setup
>     deny ip from any to any
> 
> Once a connection is made to the machine, ``ipfw -d list'' brings up
> the following in it's dynamic ruleset.
> 
> 00100 11 726 (T 19, slot 137) <-> tcp, 10.0.0.1 3245<-> 10.0.0.10 22
> 00100 33 3958 (T 299, slot 179) <-> tcp, 10.0.1.2 3245<-> 10.0.0.10 22

-- IMHO: these packets are processed twice by ipfw(8) as for packets
routed by the host (acting as a gateway) (see ipfw(8), `IMPLEMENTATION NOTES'
section). you should alias only outgoing packets before next hop forwarding
but not incoming ones after reception on an IP interface (see divert(4),
`READING PACKETS' section).

> 
> 
> Is what's happening OK? Is there a different way I could order/write
> the ruleset to have some "normal" stateful connections.
> i.e.
> 
> Packet comes in on inside interface.
> Packet matches access rule with keep-state option and gets added to
> dynamic ruleset
> Packet NAT'd

-- it seems you forgot `Packet comes out from outside interface and gets
NATed too' here.

> 
> Packet comes in on outside interface
> Packet gets NAT'd
> Packet matches check-state rule 
> 

regards,
boris karlov.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020729223214.GB1488>