Date: Thu, 22 Feb 2001 00:18:34 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: greg@nova.fqdn.com Cc: freebsd-questions@FreeBSD.ORG, greg@fqdn.com Subject: Re: NAT and keep-state issue. Message-ID: <20010222001834.D89396@rfx-216-196-73-168.users.reflex> In-Reply-To: <200102212004.PAA42475@nova.fqdn.com>; from greg@nova.fqdn.com on Wed, Feb 21, 2001 at 03:04:44PM -0500 References: <200102212004.PAA42475@nova.fqdn.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[Could we get some line wraps in your text at about 72 columns or so?] On Wed, Feb 21, 2001 at 03:04:44PM -0500, greg@nova.fqdn.com wrote: > Hi, > > I'm trying to resolve an issue with my ipfw rules using NAT and the keep-state options. > > When I do not use keep-state and use 'allow established' all works well. > When I remove 'allow established" and add keep state to out bound connections > that are NAT'd, it stops working. I think this is because packets returning > from the internet are translated, so the internal dest IP is swapped in. This fails as there isn't a dynamic rule to match. The rule created with the outbound connection would create a rule with the alias'd IP and dest IP. Returning packets would be checked by the rules after the IP swap has happened. > > > Am I missing something here or is there a trick? Any help would be great. [snip] > ## Dynamic rules: > 02060 12 606 (T 7, # 50) ty 0 tcp, 222.222.222.222 2083 <-> 333.333.333.333 21 > 02060 12 606 (T 11, # 52) ty 0 tcp, 222.222.222.222 2085 <-> 333.333.333.333 21 > 02060 1 40 (T 17, # 54) ty 0 tcp, 222.222.222.222 2087 <-> 333.333.333.333 21 [snip] > 02060 38 5690 (T 291, # 152) ty 0 tcp, 192.168.50.50 2085 <-> 333.333.333.333 21 > 02060 5 364 (T 300, # 154) ty 0 tcp, 192.168.50.50 2087 <-> 333.333.333.333 21 > 02060 38 5690 (T 287, # 158) ty 0 tcp, 192.168.50.50 2083 <-> 333.333.333.333 21 I see both the untranslated and translated address having dynamic rules. Now what exactly is not working? You can't connect at all? Are any packets relevant to this being logged by your deny rules? -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010222001834.D89396>