From owner-freebsd-ipfw Sat Aug 3 13:15: 6 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52B1837B400; Sat, 3 Aug 2002 13:15:01 -0700 (PDT) Received: from smtp.a1poweruser.com (oh-chardon6a-62.clvhoh.adelphia.net [68.65.175.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id C490B43E65; Sat, 3 Aug 2002 13:14:59 -0700 (PDT) (envelope-from barbish@a1poweruser.com) Received: from barbish (lanwin1 [10.0.10.6]) by smtp.a1poweruser.com (Postfix) with SMTP id AF12A2E; Sat, 3 Aug 2002 16:18:53 -0400 (EDT) Reply-To: From: "Joe & Fhe Barbish" To: "Michael Sierchio" Cc: "Crist J. Clark" , "FBIPFW" , , , , , , , , Subject: RE: natd & keep-state Date: Sat, 3 Aug 2002 16:14:57 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <3D4C2D1C.5020900@tenebras.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Michael You give an example based on having two ip addresses on my outside interface. The outside address is that single ip address assigned by my ISP. Your keep-state rules are generic allowing no selection by port number or the direction the packet is traveling, IE. entering my private network from the public internet or leaving my private network for the public internet. I need selection control allowing only certain types of packets. Please clarify what you are talking about and make your changes to my posted rules file so we stay on the same page when discussing solutions. Thanks Joe -----Original Message----- From: owner-freebsd-ipfw@FreeBSD.ORG [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Michael Sierchio Sent: Saturday, August 03, 2002 3:21 PM To: barbish@a1poweruser.com Cc: Crist J. Clark; FBIPFW; archie@whistle.com; cmott@scientech.com; perhaps@yes.no; suutari@iki.fi; dnelson@redwoodsoft.com; brian@awfulhak.org; ru@FreeBSD.org; rizzo@icir.org Subject: Re: natd & keep-state Joe & Fhe Barbish wrote: > So Crist we meet again. [scads of drivel deleted] As Crist stated, ipfw stateful rules and natd aren't inherently compatible, but it is possible to use them together. This is facilitated by using at least two IP addresses on the outside interface, and some non-intuitive rules. A brief snippet: # fw="/sbin/ipfw -q" ipaddr1="145.X.X.12" ipaddr2="145.X.X.14" # some rules skipped for this example #note the asymmetry $fw add 02000 divert natd ip from any to $ipaddr2 in recv $oif $fw add 02000 divert natd ip from any to any out xmit $oif $fw add 02400 check-state $fw add 02500 allow icmp from any to any icmptype 0,3,8,11 # natd is invoked with 'deny_incoming' $fw add 02620 allow ip from $ipaddr2 to any $fw add 02630 allow ip from any to $ipaddr2 $fw add 05800 allow udp from $ipaddr1 to any keep-state $fw add 05900 allow tcp from $ipaddr1 to any setup keep-state $fw add 65000 deny ip from any to any ~ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message