Date: Wed, 2 Jun 2004 15:41:40 -0700 From: Luigi Rizzo <rizzo@icir.org> To: OpenMacNews <freebsd-ipfw.20.openmacews@spamgourmet.com> Cc: freebsd-ipfw <freebsd-ipfw@freebsd.org> Subject: Re: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? Message-ID: <20040602154140.A17902@xorpc.icir.org> In-Reply-To: <DAC6B2F195AD44196B3A03F5@[172.30.11.6]>; at 03:33:58PM -0700 References: <DAC6B2F195AD44196B3A03F5@[172.30.11.6]>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jun 02, 2004 at 03:33:58PM -0700, OpenMacNews wrote: > In continued digging for some guidance w.r.t. my earlier post, I came across the following list comment ... > > > The real show stopper is ipfw with stateful rules using the 'keep state' > > option does not work when used with the divert/nated legacy sub-routine. > > What this means is ipfw with stateful rules can only be used if > > 'user ppp -nat' is how you connect to the public internet. > > Is this in fact true? > If using NATd, am I relegated to a _static_ ruleset, w/ no ability to use stateful rules? just about every sentence above is false. nothing prevents you from using stateful ipfw rules with natd, _but_ you must understand very well the packet's flow and how addresses are transformed or you won't get what you want. personally i see almost always only disadvantages (basically, it is much easier to screw up your configuration) in using both because nat is already stateful cheers luigi > Richard > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040602154140.A17902>