From owner-freebsd-questions@FreeBSD.ORG Wed Jun 9 02:59:34 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAD6C16A4CE; Wed, 9 Jun 2004 02:59:34 +0000 (GMT) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D39843D45; Wed, 9 Jun 2004 02:59:34 +0000 (GMT) (envelope-from Barbish3@adelphia.net) Received: from barbish ([67.20.101.71]) by mta11.adelphia.net (InterMail vM.5.01.06.08 201-253-122-130-108-20031117) with SMTP id <20040609025923.HNQB21898.mta11.adelphia.net@barbish>; Tue, 8 Jun 2004 22:59:23 -0400 From: "JJB" To: , Date: Tue, 8 Jun 2004 22:59:22 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) In-Reply-To: <20040603090004.fsp0rm3wehw0k8@.mailhost.wsf.at> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 cc: "freebsd-questions@FreeBSD. ORG" Subject: RE: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Barbish3@adelphia.net List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Jun 2004 02:59:34 -0000 Thanks for your example. I have finally had time to study it and I see the flaw in it. The example works fine for creating the entry in the dynamic table for setup of keep-state inbound and outbound session start requests. It even handles inbound packets that are part of an established session conversations, But for established outbound session conversations the check-state rule releases the packet before it has been nated. There lies in the flaw. Do you have any suggestions on how to correct this? -----Original Message----- From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-ipfw@freebsd.org]On Behalf Of Thomas Wolf Sent: Thursday, June 03, 2004 3:00 AM To: Barbish3@adelphia.net; freebsd-ipfw@freebsd.org Subject: RE: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? JJB schrieb: > Where do you get off calling my questioning of Luigi Rizzo's answer > as an attack. > I have heard that party line statement all to often over that last 4 > years, with no backup proof. That party line canned answer may be > sufficient for the original thread poster who has not invested the > time yet to come to the realization that it doe's not work. > My post to the tread was meant to bring this problem out so the > experts can look into it and take corrective actions. This should work although some features are missing (loopback, anti-spoofing, identd..): #!/bin/sh log="log" cmd="ipfw add" allow="skipto 10000" oif=rl0 good_tcp="22,25,53,80,443,110" good_udp="53" good_icmp="icmptypes 0,3,8,11,12" ipfw -f flush $cmd 100 divert natd ip from any to any in via $oif $cmd 105 check-state $cmd 110 $allow icmp from any to any $good_icmp $cmd 120 $allow udp from any to any $good_udp out keep-state $cmd 130 $allow tcp from any to any $good_tcp out setup keep-state $cmd 140 deny $log ip from any to any $cmd 10000 divert natd ip from any to any out via $oif $cmd 10010 allow ip from any to any $cmd 10020 deny ip from any to any Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4 _______________________________________________ freebsd-ipfw@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"