From owner-freebsd-ipfw Sat Aug 3 0: 3:53 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 726B937B400 for ; Sat, 3 Aug 2002 00:03:50 -0700 (PDT) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 119ED43E42 for ; Sat, 3 Aug 2002 00:03:46 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020803070342.HNBL19356.rwcrmhc51.attbi.com@blossom.cjclark.org>; Sat, 3 Aug 2002 07:03:42 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g7373fJK048147; Sat, 3 Aug 2002 00:03:41 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g7373eKD048146; Sat, 3 Aug 2002 00:03:40 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Sat, 3 Aug 2002 00:03:40 -0700 From: "Crist J. Clark" To: Joe & Fhe Barbish Cc: FBIPFW Subject: Re: natd & keep-state Message-ID: <20020803070339.GC47529@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Jul 31, 2002 at 10:07:59PM -0400, Joe & Fhe Barbish wrote: > IPFW list members > > Advanced Stateful extensions were introduced in FBSD 4.0. When they > first can out I changed my ipfw rules from stateless and simple > stateful to using only Advanced Stateful rules for my user > ppp -nat ISP connection. The ipfw rule set that works with user > ppp -nat is posted below. I have tried to get this same rules file to > function exchanging user ppp -nat for ipfw natd. There was always > problems with natd ip address and the dynamic rules table getting > mismatches so I went back to user ppp -nat. Every new version of FBSD > I would try again to use natd hopping there may have been some fixes > to natd, but no such luck. Each new version still failed. Each time I > would post questions to the FBSD questions list, but most of the > replies were from people who were having the same problems with natd > and keep-state rules that I was. Well now I am forced to address the > problem again because I now have cable access to the internet and I > can no longer use the -nat function of user ppp. So this time I joined > this ipfw list hoping my post will be read by a larger group of people > who have an very technical understanding of IPFW/NATD and the Advanced > Stateful extensions check-state / keep-state who will be able to > Provide a solution or come to the realization that there is a bug > that needs fixing. Deja vu. I think we've been through this before, http://docs.freebsd.org/cgi/getmsg.cgi?fetch=2858187+0+archive/2002/freebsd-questions/20020217.freebsd-questions There is not a bug. ipfw(8) and natd(8) both work as intended. It happens that 'keep-state' and natd(8) tend not to work very well together without some serious rule gymnastics. But as I think I have mentioned to you before, when you use stateless ipfw(8) rules in combination with natd(8), you can end up with a stateful firewall. It may be easier to do that than try to pound 'keep-state' and natd(8) into submission. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message