From owner-freebsd-ipfw Thu Jan 30 7:22:37 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C229837B401 for ; Thu, 30 Jan 2003 07:22:35 -0800 (PST) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 2334D43F75 for ; Thu, 30 Jan 2003 07:22:35 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 754 invoked from network); 30 Jan 2003 15:22:34 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 30 Jan 2003 15:22:34 -0000 Message-ID: <3E394339.6080201@tenebras.com> Date: Thu, 30 Jan 2003 07:22:33 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.2b) Gecko/20021016 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: barbish@a1poweruser.com Cc: Nick Rogness , "Simon L. Nielsen" , freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? References: In-Reply-To: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG JoeB wrote: > That is not the only thing wrong with the example. > IPFW with NATD does not function with keep-state rules. Oh, but it does. It just requires the right set of rules. This is oft-discussed, and is not a design defect but a consequence of using two different types of stateful mechanism. I myself use stateful rules and natd -- some of the ruleset is quite non-intuitive. > Just read the IPFW-list archives back through 1/2002 and you will > get a very clear picture of the problem. I believe that, if you go further back in the archives, you'll see I was laboring under the same misunderstanding. Here's an example: pub_hosts=outside IP addr list / public net prv_net= rfc1918 addrs / private net oif= outside if iif= inside if $fw add 02100 set 0 divert natd ip from any to any via $oif $fw add 02200 set 0 check-state $fw add 02400 set 0 allow ip from $pub_hosts to any out xmit $oif $fw add 02450 set 0 deny tcp from any to any established $fw add 03300 set 0 allow tcp from $prv_net to any in via $iif keep-state setup $fw add 03400 set 0 allow udp from $prv_net to any keep-state $fw add 03500 set 0 allow icmp from $prv_net to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message