Date: Mon, 13 May 2002 11:14:08 -0500 (CDT) From: Nick Rogness <nick@rogness.net> To: Max Clements <clementsm@swistgroup.com> Cc: questions@FreeBSD.ORG Subject: Re: IPFW with NATD question... Message-ID: <Pine.BSF.4.21.0205131102090.50364-100000@cody.jharris.com> In-Reply-To: <DEC925D2FB9081448C3D6EC26E85868C02D594@steinmail.swistgroup.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 13 May 2002, Max Clements wrote: > I have IPFW running as my firwall to the 'net with natd for the translation. > > Problem is using natd with the divert socket to divert all traffic to natd, > you end up with a situation where you cannot use stateful rules (at least I > can't figure a way out) as an example: This assumption is correct for the most part. There are ways to get around it but your state table grows x2 the size it should (keep a state table before and after translation). A way to resolve this would be to modify the kernel firewalling code. I believe the check-state option should be modified to add an optional rule number to jumpto if matched. Until that problem gets fixed, use a static firewall ruleset. Sorry. > > Say an inside machine 192.168.1.10 connects to the outside world via IPFW, > with a public address of 196.6.128.200. If I log the connection verbosely I > see the following: > > Tcp outgoing from 196.6.128.200 - outside host:port for the outgoing packets > of the connection and > Tcp incoming from outside host:port to 192.168.1.10 (which is the inside > address) > > Obviously the stateful rule misses the incoming packets with different > distination addresses, consequently the connection fails. > Nick Rogness <nick@rogness.net> - Don't mind me...I'm just sniffing your packets To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0205131102090.50364-100000>