From owner-freebsd-hackers  Wed Dec 20 14:22:58 2000
From owner-freebsd-hackers@FreeBSD.ORG  Wed Dec 20 14:22:56 2000
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from post.mail.nl.demon.net (post-10.mail.nl.demon.net [194.159.73.20])
	by hub.freebsd.org (Postfix) with ESMTP id 0AEDC37B402
	for <freebsd-hackers@freebsd.org>; Wed, 20 Dec 2000 14:22:56 -0800 (PST)
Received: from [212.238.15.212] (helo=grand.canyon.demon.nl)
	by post.mail.nl.demon.net with smtp (Exim 3.14 #2)
	id 148rdO-0003U1-00; Wed, 20 Dec 2000 22:22:54 +0000
Received: by grand.canyon.demon.nl (Postfix, from userid 1000)
	id A94FA2157; Wed, 20 Dec 2000 23:22:39 +0100 (CET)
Date: Wed, 20 Dec 2000 23:22:39 +0100
From: Rene de Vries <freebsd@canyon.demon.nl>
To: Luigi Rizzo <rizzo@aciri.org>
Cc: freebsd-hackers@FreeBSD.ORG
Subject: Re: statefull packet filter together with natd question
Message-ID: <20001220232239.A1012@canyon.demon.nl>
References: <20001220184937.A788@canyon.demon.nl> <200012201757.eBKHvIb77566@iguana.aciri.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <200012201757.eBKHvIb77566@iguana.aciri.org>; from rizzo@aciri.org on Wed, Dec 20, 2000 at 09:57:18AM -0800
Sender: rene@canyon.demon.nl
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, Dec 20, 2000 at 09:57:18AM -0800, Luigi Rizzo wrote:
> > Currently I'm trying to move towards a statefull packet filter. When testing
> > without nat all seems to work fine. But when I added natd (as the first
> > rule) packets that were natd-ed on their way out had their return traffic
> > blocked. The question is, what am I doing wrong?!?
> 
> nat changes addresses and then reinjects packets in the firewall.
> Chances are that there is no dynamic rule matching the
> packet after the translation.

This is what I know, the problem is how to nat at the right time. I played
with two natting rules, one for incoming and one for outgoing traffic (to the
same nat process) but I didn't got working. This made me think that there
should be a simple solution to this problem.

-- 
Rene de Vries                        http://www.tcja.nl mailto:rene@tcja.nl


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message