From owner-freebsd-questions  Sat Oct 12 12: 8: 8 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D782637B401
	for <questions@FreeBSD.ORG>; Sat, 12 Oct 2002 12:08:06 -0700 (PDT)
Received: from gw.pelleg.org (gw.pelleg.org [205.201.13.235])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 318A843EB1
	for <questions@FreeBSD.ORG>; Sat, 12 Oct 2002 12:08:06 -0700 (PDT)
	(envelope-from dpelleg@cs.cmu.edu)
Received: from lank.auton.cs.cmu.edu (lank.wburn [192.168.3.41])
	(using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
	(Client CN "dpelleg.dsl.telerama.com", Issuer "Dan Pelleg" (verified OK))
	by gw.pelleg.org (Postfix) with ESMTP
	id A47CE59EE; Sat, 12 Oct 2002 15:08:03 -0400 (EDT)
Received: by lank.auton.cs.cmu.edu (Postfix, from userid 7675)
	id 52C555B0; Sat, 12 Oct 2002 15:08:01 -0400 (EDT)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15784.29456.571349.96950@gargle.gargle.HOWL>
Date: Sat, 12 Oct 2002 15:08:00 -0400
To: questions@FreeBSD.ORG
Cc: "JoeB" <barbish@a1poweruser.com>
Subject: Re: How to use natd -punch_fw
X-Mailer: VM 7.00 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
From: Dan Pelleg <daniel+fbsdq@pelleg.org>
Reply-To: Dan@cs.cmu.edu, "Pelleg <daniel+fbsdq"@pelleg.org
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


> How do I know how many lines in the ipfw rules file to reserve
> for the -punch_fw function? 
> I can code 2 keep-state rules to allow passive FTP in & out.

Exactly "count" lines (the number after the colon in the punch_fw
statement).
 
> What kind of dynamic ipfw rules is  -punch_fw  creating and
> inserting into the ipfw rules table on the fly?
> (stateless, setup/establisted, keep-state/check-state)

They're entries in the table. That table only records dest/src IP and port
numbers, but not any more state. Filtered packets are checked against table
entries and are allowed in if they match. keep-state/check-state is just a
label on the rule that you would use to create such an entry (conditioned
on seeing the right kind of packet, for example setup/established), but it
makes no sense to talk about it in the context of an entry once it has been
created. So the answer is: natd will simply create an entry in that table.

Here's an experiment you can do: add the punch_fw statement, start a FTP
session, and repeatedly watch the generated rules with "ipfw -d
show". You'll see what gets created, when, and when it's removed.

A good place to post your other questions would be the freebsd-ipfw mailing
list; Luigi Rizzo hangs out there and he'll most certainly be able to
answer them.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message