From owner-freebsd-questions Thu Feb 22 3:58:26 2001 Delivered-To: freebsd-questions@freebsd.org Received: from leviathan.inethouston.net (216-118-21-146.pdq.net [216.118.21.146]) by hub.freebsd.org (Postfix) with ESMTP id 0156137B401 for ; Thu, 22 Feb 2001 03:58:23 -0800 (PST) (envelope-from mike@inethouston.net) Received: from charter (24-240-235-143.hsacorp.net [24.240.235.143]) by leviathan.inethouston.net (Postfix) with ESMTP id 7C69611131B; Thu, 22 Feb 2001 05:58:22 -0600 (CST) Message-ID: <005701c09cc6$8c057740$0204a8c0@daimon> From: "Michael J. Turner" To: , Cc: , References: <200102212004.PAA42475@nova.fqdn.com> <20010222001834.D89396@rfx-216-196-73-168.users.reflex> Subject: Re: NAT and keep-state issue. Date: Thu, 22 Feb 2001 05:56:51 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I am having the same problem with natd and ipfw, the fact that you have to "allow all from any to any" for nat to work is ridiculous, also the dynamic rules factory. Anyhow the only way I think I can solve the problem is to move ipnat and ipf. Later, Mike Turner ----- Original Message ----- From: "Crist J. Clark" To: Cc: ; Sent: Thursday, February 22, 2001 2:18 AM Subject: Re: NAT and keep-state issue. > [Could we get some line wraps in your text at about 72 columns or so?] > > On Wed, Feb 21, 2001 at 03:04:44PM -0500, greg@nova.fqdn.com wrote: > > Hi, > > > > I'm trying to resolve an issue with my ipfw rules using NAT and the keep-state options. > > > > When I do not use keep-state and use 'allow established' all works well. > > When I remove 'allow established" and add keep state to out bound connections > > that are NAT'd, it stops working. I think this is because packets returning > > from the internet are translated, so the internal dest IP is swapped in. This fails as there isn't a dynamic rule to match. The rule created with the outbound connection would create a rule with the alias'd IP and dest IP. Returning packets would be checked by the rules after the IP swap has happened. > > > > > > Am I missing something here or is there a trick? Any help would be great. > > [snip] > > > ## Dynamic rules: > > 02060 12 606 (T 7, # 50) ty 0 tcp, 222.222.222.222 2083 <-> 333.333.333.333 21 > > 02060 12 606 (T 11, # 52) ty 0 tcp, 222.222.222.222 2085 <-> 333.333.333.333 21 > > 02060 1 40 (T 17, # 54) ty 0 tcp, 222.222.222.222 2087 <-> 333.333.333.333 21 > > [snip] > > > 02060 38 5690 (T 291, # 152) ty 0 tcp, 192.168.50.50 2085 <-> 333.333.333.333 21 > > 02060 5 364 (T 300, # 154) ty 0 tcp, 192.168.50.50 2087 <-> 333.333.333.333 21 > > 02060 38 5690 (T 287, # 158) ty 0 tcp, 192.168.50.50 2083 <-> 333.333.333.333 21 > > I see both the untranslated and translated address having dynamic > rules. > > Now what exactly is not working? You can't connect at all? Are any > packets relevant to this being logged by your deny rules? > -- > Crist J. Clark cjclark@alum.mit.edu > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message