From owner-freebsd-bugs Wed Apr 10 21:58:17 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id DD0B937B404; Wed, 10 Apr 2002 21:58:12 -0700 (PDT) Received: (from cjc@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g3B4wC796014; Wed, 10 Apr 2002 21:58:12 -0700 (PDT) (envelope-from cjc) Date: Wed, 10 Apr 2002 21:58:12 -0700 (PDT) From: Message-Id: <200204110458.g3B4wC796014@freefall.freebsd.org> To: barbish@a1poweruser.com, cjc@FreeBSD.org, freebsd-bugs@FreeBSD.org Subject: Re: kern/36895: natd does not function correctly when ipfw rules use check-state/keep-state Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Synopsis: natd does not function correctly when ipfw rules use check-state/keep-state State-Changed-From-To: open->closed State-Changed-By: cjc State-Changed-When: Wed Apr 10 21:57:54 PDT 2002 State-Changed-Why: After reviewing the submitter's rules, the problem is that states are only established for packets crossing the external interface after natd(8) gets the packets. Therefore, outgoing packets have had their source address translated to the address of the external interface and incoming packets have had the destination translated back to the private number when they hit the dynamic rules. They will not match up. This is not a bug. This is just how things work. There are ways to set up your rules so that this will work. People do this all of the time. http://www.freebsd.org/cgi/query-pr.cgi?pr=36895 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message