ipfw nat inbound keep-state with net.inet.ip.fw.one_pass=0

umage theultramage at gmail.com
Thu Jun 23 12:05:54 UTC 2011


Some points:
1) I did use the handbook as reference, and my ruleset mimics the layout 
used there.
2) Handbook uses divert natd, which I used until I switched to the 
kernel nat approach.
3) I did not find any concrete examples of ipfw nat rule usage, so I'm 
using them the old natd way.

I did some more experiments, and noticed that for example, an inbound 
connection can still communicate both ways after the initial state table 
rule expires (20 seconds for some reason). If they communicate while the 
state entry is alive, the timeout resets, but it seems like it doesn't 
matter at all. This leads me to believe that 'ipfw nat' keeps an 
internal state table, which cannot be viewed, but is checked when doing 
check-state. Or something... which I have no way of knowing.

Here's a pruned version of the ruleset I used. Rule 600 is the one that 
adds that remote <--> local state table entry that messes everything up. 
If I omit keep-state on it, then traffic from the local side will be the 
one creating the states when replying, with a 5-second timeout.
--------------------
$fw add 100 allow all from any to any via $lan_if

$fw nat 1 config if $wan_if redirect_port 192.168.0.55:12345 12345
$fw add 200 nat 1 ip4 from any to any in via $wan_if

$fw add 300 check-state

$fw add 400 skipto 800 ip4 from any to any out via $wan_if keep-state
$fw add 500 allow all from any to any out keep-state

$fw add 600 allow all from any to any dst-port 12345 in keep-state
$fw add 700 deny all from any to any in

$fw add 800 nat 1 ip4 from any to any out
$fw add 900 allow all from any to any



More information about the freebsd-questions mailing list