Date: Sat, 8 Sep 2001 23:23:33 -0500 (CDT) From: Nick Rogness <nick@rogness.net> To: Nick Sayer <nsayer@quack.kfu.com> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw dynamic rules and natd conflict Message-ID: <Pine.BSF.4.21.0109082232570.73604-100000@cody.jharris.com> In-Reply-To: <1969.205.178.90.218.999996960.squirrel@medusa.kfu.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 8 Sep 2001, Nick Sayer wrote:
> I am setting up a stateful firewall with NAT for a friend and ran
> across a problem with DNS.
>
> I have the traditional rule 50 diverting all of the traffic into natd.
> Later on, I have this:
>
> check-state
> pass udp from any to any out xmit ${oif} keep-state
> pass ip from any to any out xmit ${oif}
>
> The problem is that the dynamic rules end up with post-NAT addressing,
> because the packets have already gone through NAT on their way out,
> but the responses come back in... again _post_ NAT, which means they
> have _inside_ addresses and thus fail the filter.
Split your divert rules up:
50 divert natd ip from any to any out via $oif
check-state
keep-state stuff
divert natd ip from any to any in via $oif
Nick Rogness <nick@rogness.net>
- Keep on Routing in a Free World...
"FreeBSD: The Power to Serve!"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0109082232570.73604-100000>