From owner-freebsd-ipfw Thu Jan 30 11:44:21 2003 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3563237B401 for ; Thu, 30 Jan 2003 11:44:19 -0800 (PST) Received: from smtp.a1poweruser.com (oh-chardon6a-34.clvhoh.adelphia.net [68.169.105.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 450C743E4A for ; Thu, 30 Jan 2003 11:44:18 -0800 (PST) (envelope-from barbish@a1poweruser.com) Received: from barbish (lanwin2 [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id 9AF391E6; Thu, 30 Jan 2003 14:52:20 -0500 (EST) Reply-To: From: "JoeB" To: "Michael Sierchio" Cc: "Nick Rogness" , "Simon L. Nielsen" , Subject: RE: Error in ipfw manpage for stateful rules? Date: Thu, 30 Jan 2003 14:44:16 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <3E396FB5.90406@tenebras.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG OK thanks for admitting that the subtleties in integrating natd and stateful ipfirewall rules, aren't covered in the examples. Also this little quote from your email response "Also note: it is documented but frequently forgotten that nat'd packets, or any packets passed via DIVERT, lose information -- such as which interface the packet was received on." Causes me a great amount of concern. I would think the divert code needs to be fixed to correct this problem, why has it not be corrected. I believe the subject to this thread is dealing with changing the examples and documentation to deal with getting IPFW/NATD/KEEP-STATE rules to play together correctly. So how about you helping me develop an example rules set that works. As you can see I have 2 conversations running under this subject. The other one has my keep-state rules file that works perfectly when used with user ppp -nat so the nat function is done outside of IPFW. But when the same rules set is used with the divert rule added all of a sudden it no longer works because packets no longer match the dynamic rules that were built. Are you willing to give me a hand to correct this oversight to the IPFW documentation and examples. -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Michael Sierchio Sent: Thursday, January 30, 2003 1:32 PM To: barbish@a1poweruser.com Cc: Nick Rogness; Simon L. Nielsen; freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? JoeB wrote: > > S again I state that the documentation for keep-state rules using > IPFW/NATD do not contain the information to create an fully enabled > keep-state firewall using the IPFW/NATD function. There are subtleties in integrating natd and stateful ipfirewall rules, and these aren't covered in the examples. It's fairly easy to see where the difficulty is, though, if you understand how the stateful rules work -- they are looking for SYN/ACK and ACK packets that match the parent rule, so take care when rewriting addresses so you get matching packets! It may be that you need to use skipto rules to separate inbound and outbound packets. Also note: it is documented but frequently forgotten that nat'd packets, or any packets passed via DIVERT, lose information -- such as which interface the packet was received on. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message