From owner-freebsd-questions  Mon May 13  8:58:13 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id CF26537B400
	for <questions@FreeBSD.ORG>; Mon, 13 May 2002 08:58:09 -0700 (PDT)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id g4DGE8f50492;
	Mon, 13 May 2002 11:14:08 -0500 (CDT)
	(envelope-from nick@rogness.net)
Date: Mon, 13 May 2002 11:14:08 -0500 (CDT)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: Max Clements <clementsm@swistgroup.com>
Cc: questions@FreeBSD.ORG
Subject: Re: IPFW with NATD question...
In-Reply-To: <DEC925D2FB9081448C3D6EC26E85868C02D594@steinmail.swistgroup.com>
Message-ID: <Pine.BSF.4.21.0205131102090.50364-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Mon, 13 May 2002, Max Clements wrote:

> I have IPFW running as my firwall to the 'net with natd for the translation.
> 
> Problem is using natd with the divert socket to divert all traffic to natd,
> you end up with a situation where you cannot use stateful rules (at least I
> can't figure a way out) as an example:


	This assumption is correct for the most part.  There are ways to
	get around it but your state table grows x2 the size it should
	(keep a state table before and after translation).

	A way to resolve this would be to modify the kernel firewalling
	code.  I believe the check-state option should be modified to add
	an optional rule number to jumpto if matched.

	Until that problem gets fixed, use a static firewall ruleset.

	Sorry.


> 
> Say an inside machine 192.168.1.10 connects to the outside world via IPFW,
> with a public address of 196.6.128.200.  If I log the connection verbosely I
> see the following:
> 
> Tcp outgoing from 196.6.128.200 - outside host:port for the outgoing packets
> of the connection and
> Tcp incoming from outside host:port to 192.168.1.10 (which is the inside
> address)
> 
> Obviously the stateful rule misses the incoming packets with different
> distination addresses, consequently the connection fails.
> 

Nick Rogness <nick@rogness.net>
 - Don't mind me...I'm just sniffing your packets



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message