Barbish3 at adelphia.net
Thu Feb 26 05:57:06 PST 2004
You have run into the IPFW legacy divert/nated subroutine bug. IPFW
stateful rules and divert/nate do not work together. IPFW stateful
rules only work in non-NATed environment. You need to use
IPFILTER/IPNAT the other firewall software application which is
built into FBSD. The FBSD handbook does not even tell you that FBSD
has more than one firewall. Smart move to want an stateful firewall
they provide the max in protection.
To see the FAQ http://www.phildev.net/ipf/index.html
I use ipfilter and do exactly what you want. IF you want copy of my
rules let me know.
As of July 2003 the OpenBSD firewall software application named PF
was ported to FBSD. It's scheduled to become the third firewall
software application delivered with the FBSD install with the next
stable production release.
You can find it in the FBSD ports collection here
More Info can be found here
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Mihai Marie
Sent: Thursday, February 26, 2004 3:12 AM
To: freebsd-questions at freebsd.org
Subject: stateful firewall
I want to setup a firewall (on my LAN's gateway) so that the only
traffic that pass through is the one initiated from my local network
have public IP's).
My firewall looks like this
ipfw add check-state
ipfw add deny tcp from any to any established
ipfw add allow tcp from $my_lan to any setup keep-state
The problems appear when I want to make some ftp traffic with a
that is outside (or any other traffic that tries to open a new
connection in relation with the one initiated from our LAN).
With iptables (in redhat) you can do:
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
but I don't know how can I do something like this using ipfw or
firewall on FreeBSD.
Any help would be appreciated,
freebsd-questions at freebsd.org mailing list
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions