Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 22 Feb 2001 08:12:56 -0800
From:      "Crist J. Clark" <cjclark@reflexnet.net>
To:        "Michael J. Turner" <mike@inethouston.net>
Cc:        greg@nova.fqdn.com, freebsd-questions@FreeBSD.ORG, greg@fqdn.com
Subject:   Re: NAT and keep-state issue.
Message-ID:  <20010222081256.I89396@rfx-216-196-73-168.users.reflex>
In-Reply-To: <005701c09cc6$8c057740$0204a8c0@daimon>; from mike@inethouston.net on Thu, Feb 22, 2001 at 05:56:51AM -0600
References:  <200102212004.PAA42475@nova.fqdn.com> <20010222001834.D89396@rfx-216-196-73-168.users.reflex> <005701c09cc6$8c057740$0204a8c0@daimon>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Thu, Feb 22, 2001 at 05:56:51AM -0600, Michael J. Turner wrote:
> I am having the same problem with natd and ipfw, the fact that you have
> to "allow all from any to any" for nat to work is ridiculous,

Yes, it would. Fortunately, it is not the case.

> also the
> dynamic
> rules factory. Anyhow the only way I think I can solve the problem is to
> move
> ipnat and ipf.

My natd(8) and dynamic rules work fine.

Excerpts from the firewall rules,

  10000 divert 8668 ip from any to any via ${oif}
  10100 check-state
  10200 allow tcp from ${oip} to any keep-state out xmit ${oif}
  20000 deny udp from any 137-138 to ${obc} 137-138 in recv ${oif}
  20100 allow udp from ${oip} to any keep-state out xmit ${oif}
  20200 allow icmp from ${oip} to any keep-state out xmit ${oif}
  20300 allow ip from ${oip} to any keep-state out xmit ${oif}
  20400 allow icmp from any to any icmptype 0,3,11
  20500 allow ip from ${inet} to ${iip} in recv ${iif}
  20600 allow ip from ${iip} to ${inet} out xmit ${iif}
  20700 allow ip from ${inet} to any keep-state in recv ${iif}

For example, I just pinged freebsd.org from a machine on the internal
net,

  ## Dynamic rules:
  20700 9 756 (T 56, # 12) ty 0 icmp, 192.168.AAA.30 0 <-> 216.136.204.18 0
  20200 3 252 (T 56, # 186) ty 0 icmp, BBB.CCC.DDD.EEE 0 <-> 216.136.204.18 0

-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010222081256.I89396>