Date: Tue, 11 Feb 2003 14:53:43 +0100 From: Georg Graf <georg-ipfw@graf.priv.at> To: freebsd-ipfw@freebsd.org Subject: IPFW/NATD works (Was: Re: Error in ipfw manpage for stateful rules?) Message-ID: <20030211135343.GD29498@graf.priv.at> In-Reply-To: <E18ePGw-0000fq-00@m218-3.phy.cam.ac.uk> References: <200301301630.19610.will@unfoldings.net> <MIEPLLIBMLEEABPDBIEGCENODEAA.barbish@a1poweruser.com> <E18ePGw-0000fq-00@m218-3.phy.cam.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jan 31, 2003 at 12:43:10AM +0000, AMAKAWA Shuhei wrote: [...] > > That keep-state rules do not function correctly in IPFW/NATD. > > not true A proof in 3 lines that it works: ipfw add 20 divert natd log logamount 0 all from any to any via bge0 ipfw add 40 allow log logamount 0 ip from 192.168.77.0/24 to any keep-state ipfw add 50 allow log logamount 0 ip from 137.208.120.10 to any keep-state . . . 65535 deny ip from any to any bge0 ist the world (outside) interface, where natd runs on. 137.208.120.10 is the public IP of the machine. 192.168.77.0/24 is the natted LAN. 137.208.16.32 is just a host on the Internet. The machine is completely invisible to the outside world, but provides full connectivity for the internal LAN and itself! Here are some snapshots what happens within this ruleset: <start1> ping from 192.168.77.12 to 137.208.16.32 /kernel: ipfw: 40 Accept ICMP:8.0 192.168.77.12 137.208.16.32 in via vlan998 /kernel: ipfw: 20 Divert 8668 ICMP:8.0 192.168.77.12 137.208.16.32 out via bge0 /kernel: ipfw: 50 Accept ICMP:8.0 137.208.120.10 137.208.16.32 out via bge0 (at this time: dynamic rules:) 00040 0 0 (T 3, slot 208) <-> icmp, 192.168.77.12 0<-> 137.208.16.32 0 00050 0 0 (T 3, slot 214) <-> icmp, 137.208.120.10 0<-> 137.208.16.32 0 reply from 137.208.16.32: /kernel: ipfw: 20 Divert 8668 ICMP:0.0 137.208.16.32 137.208.120.10 in via bge0 /kernel: ipfw: 40 Accept ICMP:0.0 137.208.16.32 192.168.77.12 in via bge0 /kernel: ipfw: 40 Accept ICMP:0.0 137.208.16.32 192.168.77.12 out via vlan998 </start1> <start2> ping from 137.208.120.10 to 137.208.16.32: /kernel: ipfw: 20 Divert 8668 ICMP:8.0 137.208.120.10 137.208.16.32 out via bge0 /kernel: ipfw: 50 Accept ICMP:8.0 137.208.120.10 137.208.16.32 out via bge0 (at this time: dynamic rules:) ## Dynamic rules: 00050 0 0 (T 2, slot 214) <-> icmp, 137.208.120.10 0<-> 137.208.16.32 0 reply from 137.208.16.32 /kernel: ipfw: 20 Divert 8668 ICMP:0.0 137.208.16.32 137.208.120.10 in via bge0 /kernel: ipfw: 50 Accept ICMP:0.0 137.208.16.32 137.208.120.10 in via bge0 </start2> Between 20 and 40 there is space to insert accept rules for other allowed things, like icmp or services the gateway host provides to the Internet or a limited set of "friends" on the Internet or for routing between more than one private subnets. I have to admit that this 3-line set is not the most performance-friendly way to do it. -- Georg Graf http://georg.graf.priv.at/ PGP Key ID: 0xA5232AD5 Gobergasse 43/2 A-1130 Wien Tel: +43 1 8796723 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030211135343.GD29498>