From owner-freebsd-questions Wed Jan 3 10:12: 7 2001 From owner-freebsd-questions@FreeBSD.ORG Wed Jan 3 10:12:04 2001 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from planw-65-33-233-186.pompano.net (planw-65-33-233-186.pompano.net [65.33.233.186]) by hub.freebsd.org (Postfix) with ESMTP id 04F1B37B400 for ; Wed, 3 Jan 2001 10:12:04 -0800 (PST) Received: (from pchampon@localhost) by planw-65-33-233-186.pompano.net (8.9.3/8.9.3) id NAA62295 for freebsd-questions@freebsd.org; Wed, 3 Jan 2001 13:12:02 -0500 (EST) (envelope-from pchampon) Date: Wed, 3 Jan 2001 13:12:02 -0500 From: Phil C To: freebsd-questions@freebsd.org Subject: ipfw, check-state & natd Message-ID: <20010103131202.A62258@planw-65-33-233-186.pompano.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: pchampon@planw-65-33-233-186.pompano.net Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Is there a way to allow for checking the state of out bound packets within ipfw ... While also using natd for masquerading? I have tried adding the 'keep-state' directive on outbound rules for my lan interface and my isp interface ie: ipfw add check-state ... ipfw add pass ip from ${cable} to any keep-state ipfw add pass tcp from ${net}:${mask} to any setup via ${if_lan} keep-state ... ipfw add deny ip from any to any Tho when I do this all pakcets drop without a trace, because I would assume the state does not match. I say that I assume because the check-state rule never increases in packet count and the deny rules do not increase either. Tho in my logs I see that packets are being denied and there are a lot of 'natd: failed to write packet back (Permission denied)' messages too. So does anyone have any ideas? -- Thanks, Phil To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message