ipfw nat inbound keep-state with net.inet.ip.fw.one_pass=0
umage
theultramage at gmail.com
Thu Jun 23 12:05:54 UTC 2011
Some points:
1) I did use the handbook as reference, and my ruleset mimics the layout
used there.
2) Handbook uses divert natd, which I used until I switched to the
kernel nat approach.
3) I did not find any concrete examples of ipfw nat rule usage, so I'm
using them the old natd way.
I did some more experiments, and noticed that for example, an inbound
connection can still communicate both ways after the initial state table
rule expires (20 seconds for some reason). If they communicate while the
state entry is alive, the timeout resets, but it seems like it doesn't
matter at all. This leads me to believe that 'ipfw nat' keeps an
internal state table, which cannot be viewed, but is checked when doing
check-state. Or something... which I have no way of knowing.
Here's a pruned version of the ruleset I used. Rule 600 is the one that
adds that remote <--> local state table entry that messes everything up.
If I omit keep-state on it, then traffic from the local side will be the
one creating the states when replying, with a 5-second timeout.
--------------------
$fw add 100 allow all from any to any via $lan_if
$fw nat 1 config if $wan_if redirect_port 192.168.0.55:12345 12345
$fw add 200 nat 1 ip4 from any to any in via $wan_if
$fw add 300 check-state
$fw add 400 skipto 800 ip4 from any to any out via $wan_if keep-state
$fw add 500 allow all from any to any out keep-state
$fw add 600 allow all from any to any dst-port 12345 in keep-state
$fw add 700 deny all from any to any in
$fw add 800 nat 1 ip4 from any to any out
$fw add 900 allow all from any to any
More information about the freebsd-questions
mailing list