Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 17 Feb 2002 20:13:51 -0800 (PST)
From:      Will Froning <wfroning@angui.sh>
To:        questions@freebsd.org
Cc:        Will Froning <wfroning@angui.sh>
Subject:   natd and dynamic rules
Message-ID:  <20020217201322.E46783-100000@angui.sh>
next in thread | raw e-mail | index | archive | help 
[please CC me on replies, thanks]

I have an issue with natd and my dynamic ipfw rules.  Here goes.

I recently implemented natd on my FBSD4.5 firewall.  Here are the
relevant ipfw rules (internal ip=192.168.100.1):

01400 divert 8668 ip from any to any via dc0
01500 check-state
01600 deny log tcp from any to any established
01700 allow tcp from ${oip} to any keep-state out setup
02800 allow ip from 192.168.100.0/24 to any keep-state via dc1

When I start a ssh session from my firewall to my mail server the
dynamic rule gets the correct lifetime value from
net.inet.ip.fw.dyn_ack_lifetime.

When I start a ssh session from 192.168.100.2 to my firewall's
internal interface, I again get the correct lifetime value from
net.inet.ip.fw.dyn_ack_lifetime.

When I start a ssh session from 192.168.100.2 to a remote machine, the
packet gets through just fine.  But when the dynamic rules come up I
was suspecting both 2800 and 1700 to have the same lifetime value.
That's not the case.  It seems when natd sends the packet out, the
outgoing packet gets it's lifetime value from
net.inet.ip.fw.dyn_syn_lifetime NOT net.inet.ip.fw.dyn_ack_lifetime!

So my questions are these:

1) Is this purposely done by implementation or is this a bug in either
ipfw or natd?

2) If this is a "feature", is there any way to change this to have
both rules look at the same lifetime value?

FYI: I tried http://www.aarongifford.com/computers/ipfwpatch.html,
but that effects ack_lifetime not syn_lifetime.  I also tried natd
with -s and again without, same results.

Thanks.
Will

-- 
Will Froning
Unix Sys. Admin.
wfroning@angui.sh




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020217201322.E46783-100000>