ipfw/nated stateful rules example

[fbsd_user]

I disagree with you that the /etc/rc.firewall is the best example.
It's really a good example of stateless rules, & how to use
scripting Symbolic substitution.

I have working keep-state rule set using user-ppp -nat, but as soon
as I add that darn legacy divert rule and drop user-ppp -nat it will
not work. Dynamic stateful rules table always ends up with an
mis-match between public and private ip address. Moving the divert
rule around only changes which ip address gets posted to the
stateful table(ie: the private or public one).

Test results look like that legacy divert subroutine call to NATD is
the problem. See same mis-match ip address problem when stateless
rules are used, but since there is no stateful table involved it
just slips by un-noticed.

Was hoping that the ipfw2 rewrite would have fixed this problem.






-----Original Message-----
From: owner-freebsd-questions at freebsd.org
[mailto:owner-freebsd-questions at freebsd.org]On Behalf Of Thomas T.
Veldhouse
Sent: Monday, January 19, 2004 1:41 PM
To: fbsd_user at a1poweruser.com; freebsd-questions at FreeBSD. ORG
Subject: Re: ipfw/nated stateful rules example

fbsd_user wrote:
> Friends
> In both 4.9 and 5.2 I can not get an rules set to function that
only
> uses keep-state' rules for outbound and inbound selection control
> and the divert rule.
>
> Does anybody have an rules set they can share with me as an sample
> for me to see.
>
> Thanks
>

The best sample is /etc/rc.firewall [and look in
/usr/share/examples/ipfw
for a potentially useful script to use while testing].  I have moved
over to
IPFILTER due to the fact that natd is userland based and is more
problematic
[than ipnat] because of it.

Tom Veldhouse

_______________________________________________
freebsd-questions at freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe at freebsd.org"