Date: Thu, 30 Jan 2003 07:22:33 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: barbish@a1poweruser.com Cc: Nick Rogness <nick@rogness.net>, "Simon L. Nielsen" <simon@nitro.dk>, freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? Message-ID: <3E394339.6080201@tenebras.com> In-Reply-To: <MIEPLLIBMLEEABPDBIEGKENKDEAA.barbish@a1poweruser.com> References: <MIEPLLIBMLEEABPDBIEGKENKDEAA.barbish@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
JoeB wrote: > That is not the only thing wrong with the example. > IPFW with NATD does not function with keep-state rules. Oh, but it does. It just requires the right set of rules. This is oft-discussed, and is not a design defect but a consequence of using two different types of stateful mechanism. I myself use stateful rules and natd -- some of the ruleset is quite non-intuitive. > Just read the IPFW-list archives back through 1/2002 and you will > get a very clear picture of the problem. I believe that, if you go further back in the archives, you'll see I was laboring under the same misunderstanding. Here's an example: pub_hosts=outside IP addr list / public net prv_net= rfc1918 addrs / private net oif= outside if iif= inside if $fw add 02100 set 0 divert natd ip from any to any via $oif $fw add 02200 set 0 check-state $fw add 02400 set 0 allow ip from $pub_hosts to any out xmit $oif $fw add 02450 set 0 deny tcp from any to any established $fw add 03300 set 0 allow tcp from $prv_net to any in via $iif keep-state setup $fw add 03400 set 0 allow udp from $prv_net to any keep-state $fw add 03500 set 0 allow icmp from $prv_net to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E394339.6080201>