Date: Tue, 8 Jun 2004 22:59:22 -0400 From: "JJB" <Barbish3@adelphia.net> To: <freebsd-ipfw@freebsd.org>, <tw@wsf.at> Cc: "freebsd-questions@FreeBSD. ORG" <freebsd-questions@FreeBSD.ORG> Subject: RE: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? Message-ID: <MIEPLLIBMLEEABPDBIEGEEJAGBAA.Barbish3@adelphia.net> In-Reply-To: <20040603090004.fsp0rm3wehw0k8@.mailhost.wsf.at>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks for your example. I have finally had time to study it and I see the flaw in it. The example works fine for creating the entry in the dynamic table for setup of keep-state inbound and outbound session start requests. It even handles inbound packets that are part of an established session conversations, But for established outbound session conversations the check-state rule releases the packet before it has been nated. There lies in the flaw. Do you have any suggestions on how to correct this? -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Thomas Wolf Sent: Thursday, June 03, 2004 3:00 AM To: Barbish3@adelphia.net; freebsd-ipfw@freebsd.org Subject: RE: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? JJB <Barbish3@adelphia.net> schrieb: > Where do you get off calling my questioning of Luigi Rizzo's answer > as an attack. > I have heard that party line statement all to often over that last 4 > years, with no backup proof. That party line canned answer may be > sufficient for the original thread poster who has not invested the > time yet to come to the realization that it doe's not work. > My post to the tread was meant to bring this problem out so the > experts can look into it and take corrective actions. This should work although some features are missing (loopback, anti-spoofing, identd..): #!/bin/sh log="log" cmd="ipfw add" allow="skipto 10000" oif=rl0 good_tcp="22,25,53,80,443,110" good_udp="53" good_icmp="icmptypes 0,3,8,11,12" ipfw -f flush $cmd 100 divert natd ip from any to any in via $oif $cmd 105 check-state $cmd 110 $allow icmp from any to any $good_icmp $cmd 120 $allow udp from any to any $good_udp out keep-state $cmd 130 $allow tcp from any to any $good_tcp out setup keep-state $cmd 140 deny $log ip from any to any $cmd 10000 divert natd ip from any to any out via $oif $cmd 10010 allow ip from any to any $cmd 10020 deny ip from any to any Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGEEJAGBAA.Barbish3>