From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 2 15:41:42 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5025216A4CE for ; Wed, 2 Jun 2004 15:41:42 -0700 (PDT) Received: from xorpc.icir.org (xorpc.icir.org [192.150.187.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B08043D2D for ; Wed, 2 Jun 2004 15:41:42 -0700 (PDT) (envelope-from rizzo@icir.org) Received: from xorpc.icir.org (localhost [127.0.0.1]) by xorpc.icir.org (8.12.9p1/8.12.8) with ESMTP id i52Mfegd018122; Wed, 2 Jun 2004 15:41:40 -0700 (PDT) (envelope-from rizzo@xorpc.icir.org) Received: (from rizzo@localhost) by xorpc.icir.org (8.12.9p1/8.12.3/Submit) id i52MfeAk018121; Wed, 2 Jun 2004 15:41:40 -0700 (PDT) (envelope-from rizzo) Date: Wed, 2 Jun 2004 15:41:40 -0700 From: Luigi Rizzo To: OpenMacNews Message-ID: <20040602154140.A17902@xorpc.icir.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; at 03:33:58PM -0700 cc: freebsd-ipfw Subject: Re: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jun 2004 22:41:42 -0000 On Wed, Jun 02, 2004 at 03:33:58PM -0700, OpenMacNews wrote: > In continued digging for some guidance w.r.t. my earlier post, I came across the following list comment ... > > > The real show stopper is ipfw with stateful rules using the 'keep state' > > option does not work when used with the divert/nated legacy sub-routine. > > What this means is ipfw with stateful rules can only be used if > > 'user ppp -nat' is how you connect to the public internet. > > Is this in fact true? > If using NATd, am I relegated to a _static_ ruleset, w/ no ability to use stateful rules? just about every sentence above is false. nothing prevents you from using stateful ipfw rules with natd, _but_ you must understand very well the packet's flow and how addresses are transformed or you won't get what you want. personally i see almost always only disadvantages (basically, it is much easier to screw up your configuration) in using both because nat is already stateful cheers luigi > Richard > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"