does NATd _prevent_ use of stateful ipfw rules w/ keep-state?
Tony Frank
tfrank at optushome.com.au
Fri Jun 4 05:35:33 PDT 2004
Hi there,
On Wed, Jun 02, 2004 at 08:39:16PM -0400, JJB wrote:
> Luigi, Your statement is very generic and so easy to make, when
> there is no proof given to back it up. There is no documentation
> that backs up your statement that says that stateful rules will work
> in an nated environment.
I think the standard rc.firewall sample scripts show this behaviour
as working.
> Better yet, here is an stateful rule set
> that works with no lan behind the firewall machine. I would like to
> see just how you would change it to get it to work in an nated
> environment. I think once you start trying to get it to work you
> will come to realize the problem ipfw has using stateful rules in an
> nated environment first hand.
If you have no lan behind the firewall, why do you want to run NAT?
Perhaps I have misunderstood your statement?
> The problem is the content of the
> dynamic table is always different no matter where you position the
> divert rule in the rule set which causes the dynamic table content
> to never match.
Yes, this is an issue, hence correct building/ordering of ipfw rules
is critical.
[...full firewall ruleset removed ...]
I think in your example I would add:
$cmd 000014 divert natd all from any to any via $outside_if
This would be placed before the ipfw check-state rule.
Also your inbound rules probably need some 'keep-state' entries to work?
Regards,
Tony
More information about the freebsd-ipfw
mailing list