From owner-freebsd-questions Sat Sep 8 17:56: 9 2001 Delivered-To: freebsd-questions@freebsd.org Received: from quack.kfu.com (quack.kfu.com [205.178.90.194]) by hub.freebsd.org (Postfix) with ESMTP id 6646A37B405 for ; Sat, 8 Sep 2001 17:56:06 -0700 (PDT) Received: from medusa.kfu.com (medusa.kfu.com [3ffe:1200:301b:0:203:47ff:fe05:95f0]) by quack.kfu.com (8.11.3/8.11.3) with ESMTP id f890u0t88005 (using TLSv1/SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168 bits) verified OK) for ; Sat, 8 Sep 2001 17:56:06 -0700 (PDT) (envelope-from nsayer@quack.kfu.com) From: Nick Sayer Received: from kfu.com (localhost.kfu.com [127.0.0.1]) by medusa.kfu.com (8.11.4/8.11.3) with SMTP id f890u0315963 for ; Sat, 8 Sep 2001 17:56:00 -0700 (PDT) (envelope-from nsayer@kfu.com) Received: from 205.178.90.218 (SquirrelMail authenticated user nsayer) by medusa.kfu.com with HTTP; Sat, 8 Sep 2001 17:56:00 -0700 (PDT) Message-ID: <1969.205.178.90.218.999996960.squirrel@medusa.kfu.com> Date: Sat, 8 Sep 2001 17:56:00 -0700 (PDT) Subject: ipfw dynamic rules and natd conflict To: X-Mailer: SquirrelMail (version 1.2.0 [rc1]) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Filter-Version: 1.3 (medusa.kfu.com) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I am setting up a stateful firewall with NAT for a friend and ran across a problem with DNS. I have the traditional rule 50 diverting all of the traffic into natd. Later on, I have this: check-state pass udp from any to any out xmit ${oif} keep-state pass ip from any to any out xmit ${oif} The problem is that the dynamic rules end up with post-NAT addressing, because the packets have already gone through NAT on their way out, but the responses come back in... again _post_ NAT, which means they have _inside_ addresses and thus fail the filter. For the life of me, I don't see a solution. You can't create a dynamic rule except by passing the packet, and if you pass it you can't then translate it. Does anyone have a good solution for this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message