From owner-freebsd-questions Wed Jan 3 23:22:48 2001 From owner-freebsd-questions@FreeBSD.ORG Wed Jan 3 23:22:46 2001 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 3C3C637B402 for ; Wed, 3 Jan 2001 23:22:46 -0800 (PST) Received: from rfx-64-6-211-149.users.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Wed, 3 Jan 2001 23:20:24 -0800 Received: (from cjc@localhost) by rfx-64-6-211-149.users.reflexcom.com (8.11.0/8.11.0) id f047M4P16469; Wed, 3 Jan 2001 23:22:04 -0800 (PST) (envelope-from cjc) Date: Wed, 3 Jan 2001 23:22:03 -0800 From: "Crist J. Clark" To: Phil C Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw, check-state & natd Message-ID: <20010103232203.H95729@rfx-64-6-211-149.users.reflexco> Reply-To: cjclark@alum.mit.edu References: <20010103131202.A62258@planw-65-33-233-186.pompano.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010103131202.A62258@planw-65-33-233-186.pompano.net>; from mongo@elephantitis.org on Wed, Jan 03, 2001 at 01:12:02PM -0500 Sender: cjc@rfx-64-6-211-149.users.reflexcom.com Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Wed, Jan 03, 2001 at 01:12:02PM -0500, Phil C wrote: > Is there a way to allow for checking the state of out bound packets within > ipfw ... While also using natd for masquerading? I have tried adding the > 'keep-state' directive on outbound rules for my lan interface and my isp > interface ie: > > > ipfw add check-state > ... > ipfw add pass ip from ${cable} to any keep-state > ipfw add pass tcp from ${net}:${mask} to any setup via ${if_lan} keep-state > ... > ipfw add deny ip from any to any > > > Tho when I do this all pakcets drop without a trace, because I would assume > the state does not match. I say that I assume because the check-state rule > never increases in packet count and the deny rules do not increase either. > Tho in my logs I see that packets are being denied and there are a lot of > 'natd: failed to write packet back (Permission denied)' messages too. > > So does anyone have any ideas? The concept should work. That's how my firewall works. You did not post all of your rules. My first guess would be that the packets are getting dropped before they get to the keep-state rule. Hard to say. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message