From owner-freebsd-questions@FreeBSD.ORG  Sat Mar  5 13:44:50 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9F5DA16A4CE
	for <freebsd-questions@freebsd.org>;
	Sat,  5 Mar 2005 13:44:50 +0000 (GMT)
Received: from mr.tuwien.ac.at (mr2-n.kom.tuwien.ac.at [128.131.2.110])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CD74D43D2D
	for <freebsd-questions@freebsd.org>;
	Sat,  5 Mar 2005 13:44:49 +0000 (GMT)
	(envelope-from e0025265@student.tuwien.ac.at)
Received: from webmail.zserv.tuwien.ac.at (lps.ben.tuwien.ac.at
	[193.170.74.11])
	by mr.tuwien.ac.at (8.12.10/8.12.8) with SMTP id j25Dikoo008101
	for <freebsd-questions@freebsd.org>;
	Sat, 5 Mar 2005 14:44:46 +0100 (MET)
MIME-Version: 1.0
X-Mailer: V-webmail 1.5.1 ( http://www.v-webmail.co.uk/ )
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-ID: <icvsum.ht84g7@webmail.tuwien.ac.at>
Date: Sat,  5 Mar 2005 14:44:46 +0100
From: "Florian Hengstberger" <e0025265@student.tuwien.ac.at>
To: FreeBSD mailinglist <freebsd-questions@freebsd.org>
X-Vwebmail-Auth: e0025265@stud3.tuwien.ac.at
X-Virus-Scanned: by amavisd-milter (http://amavis.org/)
Subject: solution: ipfw, natd
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Mar 2005 13:44:50 -0000

Hi!
With this order (rules 201,501,502), everything works well.
Other orders, although intuitivly correct, don't behave as expected.
I tried divert, allow all from internal, check-state and nothing happened.

# enable the natd
add 00201 divert natd all from any to any via sis0

### TCP ###
# per default only outgoing tcp connections, established from my host are
allowed
# check against the dynamic rulesets, then allow traffic from internal network
add 00501 check-state
add 00502 allow all from any to any via vr0 keep-state
add 00503 deny tcp from any to any in established via sis0
add 00504 deny all from any to any frag in via sis0
# allow all tcp setup connection
add 00505 allow tcp from any to any out via sis0 setup keep-state


Was hard to find, not well documented.
The handbook suggests firewalltype OPEN, which is in fact not very
sensible! A few more words on this would be fine or a reference to
the Ipfw-Advanced-Supplement-HOWTO, which covers this
case.

Florian