Date: Sat, 03 Aug 2002 12:21:00 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: barbish@a1poweruser.com Cc: "Crist J. Clark" <cjc@FreeBSD.ORG>, FBIPFW <freebsd-ipfw@freebsd.org>, archie@whistle.com, cmott@scientech.com, perhaps@yes.no, suutari@iki.fi, dnelson@redwoodsoft.com, brian@awfulhak.org, ru@FreeBSD.org, rizzo@icir.org Subject: Re: natd & keep-state Message-ID: <3D4C2D1C.5020900@tenebras.com> References: <MIEPLLIBMLEEABPDBIEGIEFKCHAA.barbish@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Joe & Fhe Barbish wrote: > So Crist we meet again. [scads of drivel deleted] As Crist stated, ipfw stateful rules and natd aren't inherently compatible, but it is possible to use them together. This is facilitated by using at least two IP addresses on the outside interface, and some non-intuitive rules. A brief snippet: # fw="/sbin/ipfw -q" ipaddr1="145.X.X.12" ipaddr2="145.X.X.14" # some rules skipped for this example #note the asymmetry $fw add 02000 divert natd ip from any to $ipaddr2 in recv $oif $fw add 02000 divert natd ip from any to any out xmit $oif $fw add 02400 check-state $fw add 02500 allow icmp from any to any icmptype 0,3,8,11 # natd is invoked with 'deny_incoming' $fw add 02620 allow ip from $ipaddr2 to any $fw add 02630 allow ip from any to $ipaddr2 $fw add 05800 allow udp from $ipaddr1 to any keep-state $fw add 05900 allow tcp from $ipaddr1 to any setup keep-state $fw add 65000 deny ip from any to any ~ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D4C2D1C.5020900>