Dynamic rules not being matched after divert...
Michael Sierchio
kudzu at tenebras.com
Thu Jul 24 13:50:45 PDT 2003
Sean Chittenden wrote:
> I'm setting up an ipfw2+natd gateway and am pretty convinced there's a
> bug in the way that ipfw2 promotes dynamic rules to being fully
> established.
I and others have said similar things, but we were simply wrong. The
problem is that natd is already a stateful bugger, and when packets
match a stateful rule in one direction (after natting, say) they
cannot match the rule in the other direction -- addresses won't match.
In one case you have the private address, in the other, the public
address.
This has been discussed before. I'm working on new examples for
rc.firewall....
More information about the freebsd-ipfw
mailing list