Date: Sat, 8 Sep 2001 17:56:00 -0700 (PDT) From: Nick Sayer <nsayer@quack.kfu.com> To: <freebsd-questions@freebsd.org> Subject: ipfw dynamic rules and natd conflict Message-ID: <1969.205.178.90.218.999996960.squirrel@medusa.kfu.com>
next in thread | raw e-mail | index | archive | help
I am setting up a stateful firewall with NAT for a friend and ran across a
problem with DNS.
I have the traditional rule 50 diverting all of the traffic into natd.
Later on, I have this:
check-state
pass udp from any to any out xmit ${oif} keep-state
pass ip from any to any out xmit ${oif}
The problem is that the dynamic rules end up with post-NAT addressing,
because the packets have already gone through NAT on their way out, but the
responses come back in... again _post_ NAT, which means they have _inside_
addresses and thus fail the filter.
For the life of me, I don't see a solution. You can't create a dynamic rule
except by passing the packet, and if you pass it you can't then translate
it.
Does anyone have a good solution for this?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1969.205.178.90.218.999996960.squirrel>