Date: Sat, 3 Aug 2002 00:03:40 -0700 From: "Crist J. Clark" <crist.clark@attbi.com> To: Joe & Fhe Barbish <barbish@a1poweruser.com> Cc: FBIPFW <freebsd-ipfw@FreeBSD.ORG> Subject: Re: natd & keep-state Message-ID: <20020803070339.GC47529@blossom.cjclark.org> In-Reply-To: <MIEPLLIBMLEEABPDBIEGKEBMCHAA.barbish@a1poweruser.com> References: <MIEPLLIBMLEEABPDBIEGKEBMCHAA.barbish@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Jul 31, 2002 at 10:07:59PM -0400, Joe & Fhe Barbish wrote: > IPFW list members > > Advanced Stateful extensions were introduced in FBSD 4.0. When they > first can out I changed my ipfw rules from stateless and simple > stateful to using only Advanced Stateful rules for my user > ppp -nat ISP connection. The ipfw rule set that works with user > ppp -nat is posted below. I have tried to get this same rules file to > function exchanging user ppp -nat for ipfw natd. There was always > problems with natd ip address and the dynamic rules table getting > mismatches so I went back to user ppp -nat. Every new version of FBSD > I would try again to use natd hopping there may have been some fixes > to natd, but no such luck. Each new version still failed. Each time I > would post questions to the FBSD questions list, but most of the > replies were from people who were having the same problems with natd > and keep-state rules that I was. Well now I am forced to address the > problem again because I now have cable access to the internet and I > can no longer use the -nat function of user ppp. So this time I joined > this ipfw list hoping my post will be read by a larger group of people > who have an very technical understanding of IPFW/NATD and the Advanced > Stateful extensions check-state / keep-state who will be able to > Provide a solution or come to the realization that there is a bug > that needs fixing. Deja vu. I think we've been through this before, http://docs.freebsd.org/cgi/getmsg.cgi?fetch=2858187+0+archive/2002/freebsd-questions/20020217.freebsd-questions There is not a bug. ipfw(8) and natd(8) both work as intended. It happens that 'keep-state' and natd(8) tend not to work very well together without some serious rule gymnastics. But as I think I have mentioned to you before, when you use stateless ipfw(8) rules in combination with natd(8), you can end up with a stateful firewall. It may be easier to do that than try to pound 'keep-state' and natd(8) into submission. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020803070339.GC47529>