From owner-freebsd-questions Sat Sep 8 21:23:42 2001 Delivered-To: freebsd-questions@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 91D0537B403 for ; Sat, 8 Sep 2001 21:23:39 -0700 (PDT) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f894NXC83594; Sat, 8 Sep 2001 23:23:33 -0500 (CDT) (envelope-from nick@rogness.net) Date: Sat, 8 Sep 2001 23:23:33 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Nick Sayer Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw dynamic rules and natd conflict In-Reply-To: <1969.205.178.90.218.999996960.squirrel@medusa.kfu.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, 8 Sep 2001, Nick Sayer wrote: > I am setting up a stateful firewall with NAT for a friend and ran > across a problem with DNS. > > I have the traditional rule 50 diverting all of the traffic into natd. > Later on, I have this: > > check-state > pass udp from any to any out xmit ${oif} keep-state > pass ip from any to any out xmit ${oif} > > The problem is that the dynamic rules end up with post-NAT addressing, > because the packets have already gone through NAT on their way out, > but the responses come back in... again _post_ NAT, which means they > have _inside_ addresses and thus fail the filter. Split your divert rules up: 50 divert natd ip from any to any out via $oif check-state keep-state stuff divert natd ip from any to any in via $oif Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message