From owner-freebsd-ipfw Mon Feb 11 23:47:57 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from jester.ti.com (jester.ti.com [192.94.94.1]) by hub.freebsd.org (Postfix) with ESMTP id EA43D37B61C; Mon, 11 Feb 2002 23:47:10 -0800 (PST) Received: from dlep8.itg.ti.com ([157.170.134.88]) by jester.ti.com (8.11.6/8.11.6) with ESMTP id g1C6nB900664; Tue, 12 Feb 2002 00:49:11 -0600 (CST) Received: from dlep8.itg.ti.com (localhost [127.0.0.1]) by dlep8.itg.ti.com (8.9.3/8.9.3) with ESMTP id AAA26825; Tue, 12 Feb 2002 00:49:10 -0600 (CST) Received: from popsvr.india.ti.com (popsvr.india.ti.com [157.87.95.215]) by dlep8.itg.ti.com (8.9.3/8.9.3) with ESMTP id AAA26779; Tue, 12 Feb 2002 00:49:08 -0600 (CST) Received: from paspcsham (dhcp86222 [157.87.86.222]) by popsvr.india.ti.com (8.8.8/8.8.8) with SMTP id MAA24199; Tue, 12 Feb 2002 12:19:07 +0530 (IST) Message-ID: <004701c1b392$dc3766e0$de56579d@india.ti.com> From: "Gautham Ganapathy" To: "FreeBSD Newbies @ FreeBSD.org" Cc: "FreeBSD Firewall @ FreeBSD.org" Subject: Changing a port in a packet Date: Tue, 12 Feb 2002 12:29:48 +0530 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi How do i configure my firewall so that an incoming connection to port 80 can be diverted to a server on another port, say 60. the packet returned from the server will also need to be modified so that the client sees a packet coming from port 80. Is this possible ? Regards Gautham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Mon Feb 11 23:53: 5 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from jester.ti.com (jester.ti.com [192.94.94.1]) by hub.freebsd.org (Postfix) with ESMTP id 3AD7A37B6CE; Mon, 11 Feb 2002 23:51:07 -0800 (PST) Received: from dlep7.itg.ti.com ([157.170.134.103]) by jester.ti.com (8.11.6/8.11.6) with ESMTP id g1C7p6911002; Tue, 12 Feb 2002 01:51:06 -0600 (CST) Received: from dlep7.itg.ti.com (localhost [127.0.0.1]) by dlep7.itg.ti.com (8.9.3/8.9.3) with ESMTP id BAA19612; Tue, 12 Feb 2002 01:51:06 -0600 (CST) Received: from popsvr.india.ti.com (popsvr.india.ti.com [157.87.95.215]) by dlep7.itg.ti.com (8.9.3/8.9.3) with ESMTP id BAA19563; Tue, 12 Feb 2002 01:51:04 -0600 (CST) Received: from paspcsham (dhcp86222 [157.87.86.222]) by popsvr.india.ti.com (8.8.8/8.8.8) with SMTP id NAA03929; Tue, 12 Feb 2002 13:21:01 +0530 (IST) Message-ID: <002201c1b39b$82efa210$de56579d@india.ti.com> From: "Gautham Ganapathy" To: "FreeBSD Newbies @ FreeBSD.org" , "FreeBSD Firewall @ FreeBSD.org" Subject: Changing a port in a packet Date: Tue, 12 Feb 2002 13:31:42 +0530 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi How do i configure my firewall so that an incoming connection to port 80 can be diverted to a server on another port, say 60. the packet returned from the server will also need to be modified so that the client sees a packet coming from port 80. Is this possible ? Regards Gautham To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 13 0:53:59 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from relay1.jet.msk.su (relay1.jet.msk.su [194.87.88.34]) by hub.freebsd.org (Postfix) with ESMTP id 92EBD37B402 for ; Wed, 13 Feb 2002 00:53:55 -0800 (PST) Received: from tiger ([193.124.4.1] helo=tiger.jet.msk.su) by relay1.jet.msk.su with smtp (Exim 3.22 #1) id 16avAk-0007Vo-00 for ipfw@freebsd.org; Wed, 13 Feb 2002 11:53:51 +0300 Received: from eel.service.jet.msk.su [192.168.10.183] by tiger.jet.msk.su with esmtp (Exim 1.73 #2) id 16avAh-0000kV-00; Wed, 13 Feb 2002 11:53:47 +0300 Message-ID: <3C6A38F2.8B65E6EC@jet.msk.su> Date: Wed, 13 Feb 2002 11:59:14 +0200 From: "Andrew V. Jemerya" Organization: Jet Infosystems X-Mailer: Mozilla 4.79 [en] (X11; U; SunOS 5.8 i86pc) X-Accept-Language: en MIME-Version: 1.0 To: ipfw@freebsd.org Subject: keep-state rule before nat Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, guys! I had some trouble with keep-state rules recently. My firewall rules are the folowing: check-state allow tcp from any to xxxx 25 keep-state allow udp from any 53 to xxx 53 keep-state divert natd from 192.168.0.0/24 to any out via rl0 divert from any to xxx in via rl0 allow all from 192.168.0.4 to any via rl1 keep-state This construction doen't work properly, but exactly it doesn't work at all What can I do for this situation? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Wed Feb 13 0:59:10 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by hub.freebsd.org (Postfix) with ESMTP id BA69037B400 for ; Wed, 13 Feb 2002 00:58:59 -0800 (PST) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.11.6/8.11.2) id g1D8w7K47392; Wed, 13 Feb 2002 10:58:07 +0200 (EET) (envelope-from ru) Date: Wed, 13 Feb 2002 10:58:07 +0200 From: Ruslan Ermilov To: "Andrew V. Jemerya" Cc: ipfw@FreeBSD.ORG Subject: Re: keep-state rule before nat Message-ID: <20020213105807.B46245@sunbay.com> References: <3C6A38F2.8B65E6EC@jet.msk.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3C6A38F2.8B65E6EC@jet.msk.su> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Feb 13, 2002 at 11:59:14AM +0200, Andrew V. Jemerya wrote: > Hi, guys! > > I had some trouble with keep-state rules recently. > My firewall rules are the folowing: > > check-state > allow tcp from any to xxxx 25 keep-state > allow udp from any 53 to xxx 53 keep-state > > divert natd from 192.168.0.0/24 to any out via rl0 > divert from any to xxx in via rl0 > > > allow all from 192.168.0.4 to any via rl1 keep-state > > This construction doen't work properly, but exactly it doesn't work at > all > What can I do for this situation? > Keep-state combined with divert is really tricky. Search ML archives for a possible solution. I posted them once. Cheers, -- Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 14 8:43: 5 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id A27DA37B402 for ; Thu, 14 Feb 2002 08:42:53 -0800 (PST) Received: (qmail 27170 invoked from network); 14 Feb 2002 16:42:53 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 14 Feb 2002 16:42:53 -0000 Message-ID: <3C6BE90D.3020108@tenebras.com> Date: Thu, 14 Feb 2002 08:42:53 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20020131 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org, freebsd-net@freebsd.org Subject: Bug in stateful code? Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I've sent this to Luigi and a couple of other folks without reply, so here it is. I'm seeing what I believe to be a bug in the stateful filter code for ipfw/ip_fw. Here's my original message: ============================================================================= Running ipfw w/natd, connections through the gateway are dying. Two dynamic rules get instantiated for each connection through the gateway -- one with NAT'd addresses and one revealing the private addresses $on = external net = X.Y.Z/24 $in = internal net = A.B.C/24 (192.168.1.0/24) the external IP is X.Y.Z.23 the internal IP is A.B.C.1 firewall rules: [some static rules...] $fw add divert natd ip from any to any via $external_interface $fw add check-state $fw add allow tcp from $in to any setup keep-state $fw add allow udp from $in to any keep-state $fw add allow tcp from $on to any setup keep-state $fw add allow udp from $on to any keep-state An ssh connection from A.B.C.4 to X.Y.Z.44 causes the following dynamic rules to appear: 02400 15 3197 (T 16, slot 760) <-> tcp, X.Y.Z.23 1549<-> X.Y.Z.44 22 02200 45 9151 (T 296, slot 913) <-> tcp, A.B.C.4 1549<-> X.Y.Z.44 22 Note 02400 -- this connection timer seems to indicate that it is waiting for a completed 3-way handshake and hasn't seen the other SYN. The connection dies because the time counts down. The timer for 02200 doesn't count down because the keep-alives are resetting it. Any insight as to why this is happening? Seems like a bug in the state machine. I could be convinced otherwise, but it seems that these two rules should see the connection as being in the same state -- they both see the same packets. BTW, I could simplify this by safely allowing $fw add divert natd ip from any to any via $external_interface $fw add check-state $fw add allow ip from $in to any $fw add allow ip from any to $in $fw add allow tcp from $on to any setup keep-state $fw add allow udp from $on to any keep-state But the dynamic rule on the public side still seem to be using net.inet.ip.fw.dyn_syn_lifetime instead of net.inet.ip.fw.dyn_ack_lifetime. Comments? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 14 9:37: 6 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id B7FE137B416; Thu, 14 Feb 2002 09:36:50 -0800 (PST) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g1EHalf57727; Thu, 14 Feb 2002 09:36:47 -0800 (PST) (envelope-from rizzo) Date: Thu, 14 Feb 2002 09:36:47 -0800 From: Luigi Rizzo To: Michael Sierchio Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? Message-ID: <20020214093647.A57238@iguana.icir.org> References: <3C6BE90D.3020108@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3C6BE90D.3020108@tenebras.com> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Feb 14, 2002 at 08:42:53AM -0800, Michael Sierchio wrote: > > I've sent this to Luigi and a couple of other folks without reply, > so here it is. the reply was that keep-state and natd are very hard to use together, and besides it is rather useless because natd is stateful by itself. This said, we have only so much time to do things. Sure, i do not exclude a-priori the possibility of a bug, but it sounds more lilely to be a misconfiguration of your ruleset, and since the example you are presenting has no reasonable application (that i can see -- again, i'm happy to be proved wrong), i do not feel like spending an hour or two trying to infer what is on your [some static rules], and i'll happily leave you the job to explain where the bug (which means reconstruct the flow of packets in and out of the ipfw and show which one is dealt in the wrong way). cheers luigi > I'm seeing what I believe to be a bug in the stateful filter code > for ipfw/ip_fw. Here's my original message: > > ============================================================================= > > Running ipfw w/natd, connections through the gateway are dying. Two > dynamic > rules get instantiated for each connection through the gateway -- one > with NAT'd addresses and one revealing the private addresses > > $on = external net = X.Y.Z/24 > $in = internal net = A.B.C/24 (192.168.1.0/24) > > the external IP is X.Y.Z.23 > the internal IP is A.B.C.1 > > firewall rules: > > [some static rules...] > > $fw add divert natd ip from any to any via $external_interface > > $fw add check-state > > $fw add allow tcp from $in to any setup keep-state > $fw add allow udp from $in to any keep-state > > $fw add allow tcp from $on to any setup keep-state > $fw add allow udp from $on to any keep-state > > > An ssh connection from A.B.C.4 to X.Y.Z.44 causes the following dynamic > rules > to appear: > > > 02400 15 3197 (T 16, slot 760) <-> tcp, X.Y.Z.23 1549<-> X.Y.Z.44 22 > 02200 45 9151 (T 296, slot 913) <-> tcp, A.B.C.4 1549<-> X.Y.Z.44 22 > > Note 02400 -- this connection timer seems to indicate that it is waiting for > a completed 3-way handshake and hasn't seen the other SYN. The connection > dies > because the time counts down. The timer for 02200 doesn't count down > because > the keep-alives are resetting it. > > Any insight as to why this is happening? Seems like a bug in the state > machine. > I could be convinced otherwise, but it seems that these two rules should > see the connection as being in the same state -- they both see the same > packets. BTW, I could simplify this by safely allowing > > > $fw add divert natd ip from any to any via $external_interface > > $fw add check-state > > $fw add allow ip from $in to any > $fw add allow ip from any to $in > > $fw add allow tcp from $on to any setup keep-state > $fw add allow udp from $on to any keep-state > > But the dynamic rule on the public side still seem to be using > net.inet.ip.fw.dyn_syn_lifetime instead of net.inet.ip.fw.dyn_ack_lifetime. > > Comments? > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 14 12:43:51 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id 58A7F37B405 for ; Thu, 14 Feb 2002 12:43:45 -0800 (PST) Received: (qmail 771 invoked from network); 14 Feb 2002 20:43:44 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 14 Feb 2002 20:43:44 -0000 Message-ID: <3C6C2180.3020704@tenebras.com> Date: Thu, 14 Feb 2002 12:43:44 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20020131 X-Accept-Language: en-us MIME-Version: 1.0 To: Luigi Rizzo Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? References: <3C6BE90D.3020108@tenebras.com> <20020214093647.A57238@iguana.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo wrote: > the reply was that keep-state and natd are very hard to use > together, and besides it is rather useless because natd is stateful > by itself. natd is stateful, but provides no protection for inbound IP traffic that is destined for the filtering host itself. The ruleset *is* particularly useful, since the host in question is both a router for nat'd hosts and a dns and mail server. I'd like to preserve stateful filtering rules for packets that originate at and are destined for the host itself. > ..., i do not feel like spending > an hour or two trying to infer what is on your [some static rules], > and i'll happily leave you the job to explain where the bug (which > means reconstruct the flow of packets in and out of the ipfw and > show which one is dealt in the wrong way). I'd be happy to share the static rules -- and AFAIK I did give a hint as to what the problem is. What kind of evidence do you want, in particular? I have a tcpdump that shows the packet exchange, shows SYN from each host, and demonstrates that the dynamic rule is in the wrong state, using the wrong timer. This could easily have something to do with the interaction of ipfw and natd, but I'm just reporting the observable phenomena. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 14 13:15:19 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from artemis.drwilco.net (diana.drwilco.net [66.48.127.79]) by hub.freebsd.org (Postfix) with ESMTP id EA1D337B404; Thu, 14 Feb 2002 13:15:08 -0800 (PST) Received: from ceres.drwilco.net (docwilco.xs4all.nl [213.84.68.230]) by artemis.drwilco.net (8.11.6/8.11.6) with ESMTP id g1ELEwZ89266 (using TLSv1/SSLv3 with cipher DES-CBC3-SHA (168 bits) verified NO); Thu, 14 Feb 2002 16:14:59 -0500 (EST) (envelope-from drwilco@drwilco.net) Message-Id: <5.1.0.14.0.20020214221354.01c37da0@mail.drwilco.net> X-Sender: lists@mail.drwilco.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 14 Feb 2002 22:25:13 +0100 To: Michael Sierchio , Luigi Rizzo From: "Rogier R. Mulhuijzen" Subject: Re: Bug in stateful code? Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG In-Reply-To: <3C6C2180.3020704@tenebras.com> References: <3C6BE90D.3020108@tenebras.com> <20020214093647.A57238@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG >>the reply was that keep-state and natd are very hard to use >>together, and besides it is rather useless because natd is stateful >>by itself. >natd is stateful, but provides no protection for inbound IP traffic >that is destined for the filtering host itself. I have personally looked at natd & stateful ipfw rules, and have concluded that it logically impossible to get it to work. Thus I made a ipfw rulelist that utilizes the statefulness of natd. I hope this helps you in making your own rulelist. tl0 is the interface on internal LAN lnc0 is the interface on external LAN -------------------- #divert all http requests from internal network to quid cache add 00510 fwd 172.30.0.1 tcp from 172.30.0.0/16 to any 80 in via tl0 add 00520 fwd 172.30.0.1 tcp from 172.20.0.0/16 to any 80 in via tl0 add 00530 fwd 172.30.0.1 tcp from 192.168.0.0/24 to any 80 in via tl0 #allow all traffic to/from internal network add 01000 allow all from any to any via tl0 #translate incoming packets (NAT) add 30000 divert natd all from any to in via lnc0 #allow incoming packets for hosts on internal network #(Since we translated them, we're sure they belong to existing #connection) add 30110 allow all from any to 172.20.0.0/16 in via lnc0 add 30111 allow all from any to 172.30.0.0/16 in via lnc0 add 30112 allow all from any to 192.168.0.0/24 in via lnc0 #allow SSH from XXXXXXXX add 30200 allow tcp from to 22 in via lnc0 add 30210 allow tcp from 22 to out via lnc0 #allow DNS queries to UUnet DNS servers add 30300 allow udp from 53 to in via lnc0 add 30310 allow udp from to 53 out via lnc0 add 30320 allow udp from 53 to in via lnc0 add 30330 allow udp from to 53 out via lnc0 #allow outgoing traffic from internal hosts #(use skipto 34000 instead of allow because they still need translation) add 31010 skipto 34000 all from 172.20.0.0/16 to any out via lnc0 add 31020 skipto 34000 all from 172.30.0.0/16 to any out via lnc0 add 31030 skipto 34000 all from 192.168.0.0/24 to any out via lnc0 #allow outgoing connections from local machine (using dynamic rules) add 32000 allow all from to any out via lnc0 keep-state #block and log everything that hasn't been allowed so far add 33000 deny log all from any to any -------------------- Greets, Doc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 14 13:33:25 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from artemis.drwilco.net (diana.drwilco.net [66.48.127.79]) by hub.freebsd.org (Postfix) with ESMTP id 26AF037B400; Thu, 14 Feb 2002 13:33:19 -0800 (PST) Received: from ceres.drwilco.net (docwilco.xs4all.nl [213.84.68.230]) by artemis.drwilco.net (8.11.6/8.11.6) with ESMTP id g1ELXFZ89822 (using TLSv1/SSLv3 with cipher DES-CBC3-SHA (168 bits) verified NO); Thu, 14 Feb 2002 16:33:17 -0500 (EST) (envelope-from drwilco@drwilco.net) Message-Id: <5.1.0.14.0.20020214224151.01c350c0@mail.drwilco.net> X-Sender: lists@mail.drwilco.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 14 Feb 2002 22:43:30 +0100 To: Michael Sierchio , Luigi Rizzo From: "Rogier R. Mulhuijzen" Subject: Re: Bug in stateful code? Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG In-Reply-To: <5.1.0.14.0.20020214221354.01c37da0@mail.drwilco.net> References: <3C6C2180.3020704@tenebras.com> <3C6BE90D.3020108@tenebras.com> <20020214093647.A57238@iguana.icir.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG At 22:25 14-2-2002 +0100, Rogier R. Mulhuijzen wrote: ----SNIP---- Oops, forgot a few rules at the end (bad copy/paste) So here it is again. tl0 is the interface on internal LAN lnc0 is the interface on external LAN -------------------- #divert all http requests from internal network to quid cache add 00510 fwd 172.30.0.1 tcp from 172.30.0.0/16 to any 80 in via tl0 add 00520 fwd 172.30.0.1 tcp from 172.20.0.0/16 to any 80 in via tl0 add 00530 fwd 172.30.0.1 tcp from 192.168.0.0/24 to any 80 in via tl0 #allow all traffic to/from internal network add 01000 allow all from any to any via tl0 #translate incoming packets (NAT) add 30000 divert natd all from any to in via lnc0 #allow incoming packets for hosts on internal network #(Since we translated them, we're sure they belong to existing #connection) add 30110 allow all from any to 172.20.0.0/16 in via lnc0 add 30111 allow all from any to 172.30.0.0/16 in via lnc0 add 30112 allow all from any to 192.168.0.0/24 in via lnc0 #allow SSH from XXXXXXXX add 30200 allow tcp from to 22 in via lnc0 add 30210 allow tcp from 22 to out via lnc0 #allow DNS queries to UUnet DNS servers add 30300 allow udp from 53 to in via lnc0 add 30310 allow udp from to 53 out via lnc0 add 30320 allow udp from 53 to in via lnc0 add 30330 allow udp from to 53 out via lnc0 #allow outgoing traffic from internal hosts #(use skipto 34000 instead of allow because they still need translation) add 31010 skipto 34000 all from 172.20.0.0/16 to any out via lnc0 add 31020 skipto 34000 all from 172.30.0.0/16 to any out via lnc0 add 31030 skipto 34000 all from 192.168.0.0/24 to any out via lnc0 #allow outgoing connections from local machine (using dynamic rules) add 32000 allow all from to any out via lnc0 keep-state #block and log everything that hasn't been allowed so far add 33000 deny log all from any to any #translate outgoing packets (NAT) add 34000 divert natd all from any to any out via lnc0 #allow translated packets to go out add 34010 allow all from 195.109.218.253 to any out via lnc0 #block and log whatever remains (shouldn't be anything) add 65000 deny log all from any to any -------------------- Greets, Doc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 14 13:59:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by hub.freebsd.org (Postfix) with ESMTP id 75CDD37B416; Thu, 14 Feb 2002 13:59:40 -0800 (PST) Received: (from rizzo@localhost) by iguana.icir.org (8.11.6/8.11.3) id g1ELxao59263; Thu, 14 Feb 2002 13:59:36 -0800 (PST) (envelope-from rizzo) Date: Thu, 14 Feb 2002 13:59:36 -0800 From: Luigi Rizzo To: Michael Sierchio Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? Message-ID: <20020214135936.A59207@iguana.icir.org> References: <3C6BE90D.3020108@tenebras.com> <20020214093647.A57238@iguana.icir.org> <3C6C2180.3020704@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3C6C2180.3020704@tenebras.com> User-Agent: Mutt/1.3.23i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Feb 14, 2002 at 12:43:44PM -0800, Michael Sierchio wrote: > >..., i do not feel like spending > >an hour or two trying to infer what is on your [some static rules], > >and i'll happily leave you the job to explain where the bug (which > >means reconstruct the flow of packets in and out of the ipfw and > >show which one is dealt in the wrong way). > > I'd be happy to share the static rules -- and AFAIK I did give a hint > as to what the problem is. What kind of evidence do you want, in > particular? > I have a tcpdump that shows the packet exchange, shows SYN from each > host, and demonstrates that the dynamic rule is in the wrong state, > using the wrong timer. This could easily have something to do with the only reason why the rule can be "in the wrong state" as you say, is that the packet you are waiting for never reaches the rule. Whihc in turn boils down to a misconfiguration of the ruleset. A tcpdump alone, even taken on both sides, is not enough because the packet goes like this: input interface ip_input() ipfw up to the natd rule natd rest of ipfw ruleset ip_output() (if gateway is enabled) ipfw up to the natd rule natd rest of ipfw ruleset where is it dropped, you ight probably figure out with a bit of experimenting and lookinga at ipfw counters and possibly running natd in verbose mode. luigi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Thu Feb 14 15:20:56 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc53.attbi.com (rwcrmhc53.attbi.com [204.127.198.39]) by hub.freebsd.org (Postfix) with ESMTP id 13A0737B400; Thu, 14 Feb 2002 15:20:53 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc53.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020214232052.MZCG2951.rwcrmhc53.attbi.com@blossom.cjclark.org>; Thu, 14 Feb 2002 23:20:52 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g1ENKqO37147; Thu, 14 Feb 2002 15:20:52 -0800 (PST) (envelope-from cjc) Date: Thu, 14 Feb 2002 15:20:52 -0800 From: "Crist J. Clark" To: Michael Sierchio Cc: freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? Message-ID: <20020214152052.C36782@blossom.cjclark.org> References: <3C6BE90D.3020108@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3C6BE90D.3020108@tenebras.com>; from kudzu@tenebras.com on Thu, Feb 14, 2002 at 08:42:53AM -0800 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Feb 14, 2002 at 08:42:53AM -0800, Michael Sierchio wrote: > > I've sent this to Luigi and a couple of other folks without reply, > so here it is. I _DID_ reply to you and on -net explaining why this does not work. http://docs.freebsd.org/cgi/getmsg.cgi?fetch=13412+0+current/freebsd-net -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 15 8:21:20 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.wolves.k12.mo.us (mail.wolves.k12.mo.us [207.160.214.1]) by hub.freebsd.org (Postfix) with ESMTP id EBFD237B430; Fri, 15 Feb 2002 08:21:01 -0800 (PST) Received: from mail.wolves.k12.mo.us (cdillon@mail.wolves.k12.mo.us [207.160.214.1]) by mail.wolves.k12.mo.us (8.9.3/8.9.3) with ESMTP id KAA02162; Fri, 15 Feb 2002 10:20:39 -0600 (CST) (envelope-from cdillon@wolves.k12.mo.us) Date: Fri, 15 Feb 2002 10:20:39 -0600 (CST) From: Chris Dillon To: "Rogier R. Mulhuijzen" Cc: Michael Sierchio , Luigi Rizzo , , Subject: Re: Bug in stateful code? In-Reply-To: <5.1.0.14.0.20020214221354.01c37da0@mail.drwilco.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 14 Feb 2002, Rogier R. Mulhuijzen wrote: > I have personally looked at natd & stateful ipfw rules, and have > concluded that it logically impossible to get it to work. > > Thus I made a ipfw rulelist that utilizes the statefulness of > natd. I hope this helps you in making your own rulelist. If you have the luxury of having more than one IP address available for the outside interface, you can dedicate one address to natd's use, and the other to the host machine. Use -deny_incoming on natd, and use whatever rules you want, including stateful, on the non-NAT address. This is what I've done and it works fine. -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net FreeBSD: The fastest and most stable server OS on the planet - Available for IA32 (Intel x86) and Alpha architectures - IA64, PowerPC, UltraSPARC, and ARM architectures under development - http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 15 8:32:12 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id A149137B402 for ; Fri, 15 Feb 2002 08:32:09 -0800 (PST) Received: (qmail 3806 invoked from network); 15 Feb 2002 16:32:08 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 15 Feb 2002 16:32:08 -0000 Message-ID: <3C6D3808.5080900@tenebras.com> Date: Fri, 15 Feb 2002 08:32:08 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20020131 X-Accept-Language: en-us MIME-Version: 1.0 To: Chris Dillon Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: Bug in stateful code? References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Chris Dillon wrote: > If you have the luxury of having more than one IP address available > for the outside interface, you can dedicate one address to natd's use, > and the other to the host machine. Use -deny_incoming on natd, and > use whatever rules you want, including stateful, on the non-NAT > address. This is what I've done and it works fine. Thanks. That works. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 15 9:18:44 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from gate.killian.com (gate.killian.com [205.179.65.162]) by hub.freebsd.org (Postfix) with ESMTP id 5ABB237B400; Fri, 15 Feb 2002 09:18:40 -0800 (PST) Received: (from smtp@localhost) by gate.killian.com (8.11.6/8.11.6) id g1FHIbJ37362; Fri, 15 Feb 2002 09:18:37 -0800 (PST) (envelope-from earl@killian.com) Received: from sax.killian.com(199.165.155.18) via SMTP by gate.killian.com, id smtpdXTvTxk; Fri Feb 15 09:18:29 2002 From: "Earl A. Killian" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15469.17124.999950.13271@sax.killian.com> Date: Fri, 15 Feb 2002 09:18:28 -0800 To: Chris Dillon Cc: "Rogier R. Mulhuijzen" , Michael Sierchio , Luigi Rizzo , , Subject: Re: Bug in stateful code? In-Reply-To: References: <5.1.0.14.0.20020214221354.01c37da0@mail.drwilco.net> X-Mailer: VM 7.00 under 21.4 (patch 5) "Civil Service" XEmacs Lucid Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Chris Dillon writes: > Date: Fri, 15 Feb 2002 10:20:39 -0600 (CST) > From: Chris Dillon > > If you have the luxury of having more than one IP address available > for the outside interface, you can dedicate one address to natd's use, > and the other to the host machine. Use -deny_incoming on natd, and > use whatever rules you want, including stateful, on the non-NAT > address. This is what I've done and it works fine. This sounds promising, but I am confused by the man page on -deny_incoming. Perhaps you could clarify? It says, "Do not pass incoming packets that have no entry in the internal translation table." Which internal translation table do they mean? If this is the translation table set up when an internal host packet is forwarded to the internet, I don't see how a connection ever gets established. Does "internal translation table" mean something else? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 15 9:39:45 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id F1C0237B402 for ; Fri, 15 Feb 2002 09:39:37 -0800 (PST) Received: (qmail 4032 invoked from network); 15 Feb 2002 17:39:37 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 15 Feb 2002 17:39:37 -0000 Message-ID: <3C6D47D9.10003@tenebras.com> Date: Fri, 15 Feb 2002 09:39:37 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20020131 X-Accept-Language: en-us MIME-Version: 1.0 To: "Earl A. Killian" Cc: Chris Dillon , "Rogier R. Mulhuijzen" , Luigi Rizzo , freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? References: <5.1.0.14.0.20020214221354.01c37da0@mail.drwilco.net> <15469.17124.999950.13271@sax.killian.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Earl A. Killian wrote: > Chris Dillon writes: > > Date: Fri, 15 Feb 2002 10:20:39 -0600 (CST) > > From: Chris Dillon > > > > If you have the luxury of having more than one IP address available > > for the outside interface, you can dedicate one address to natd's use, > > and the other to the host machine. Use -deny_incoming on natd, and > > use whatever rules you want, including stateful, on the non-NAT > > address. This is what I've done and it works fine. > > This sounds promising, but I am confused by the man page on > -deny_incoming. Perhaps you could clarify? It says, "Do not pass > incoming packets that have no entry in the internal translation > table." Which internal translation table do they mean? If this is > the translation table set up when an internal host packet is forwarded > to the internet, I don't see how a connection ever gets established. > Does "internal translation table" mean something else? It's a 'natd' option, which says not to pass incoming packets (from the nat'd interface, presumably the external interface) which aren't part of established "connections" -- the internal translation table is internal to natd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 15 9:52:24 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from gate.killian.com (gate.killian.com [205.179.65.162]) by hub.freebsd.org (Postfix) with ESMTP id 53B8137B400; Fri, 15 Feb 2002 09:52:19 -0800 (PST) Received: (from smtp@localhost) by gate.killian.com (8.11.6/8.11.6) id g1FHqJc37544; Fri, 15 Feb 2002 09:52:19 -0800 (PST) (envelope-from earl@killian.com) Received: from sax.killian.com(199.165.155.18) via SMTP by gate.killian.com, id smtpdfIvb0i; Fri Feb 15 09:52:13 2002 From: "Earl A. Killian" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15469.19149.677645.220962@sax.killian.com> Date: Fri, 15 Feb 2002 09:52:13 -0800 To: "Michael Sierchio" Cc: "Chris Dillon" , "Rogier R. Mulhuijzen" , "Luigi Rizzo" , freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? In-Reply-To: <3C6D47D9.10003@tenebras.com> References: <5.1.0.14.0.20020214221354.01c37da0@mail.drwilco.net> <15469.17124.999950.13271@sax.killian.com> <3C6D47D9.10003@tenebras.com> X-Mailer: VM 7.00 under 21.4 (patch 5) "Civil Service" XEmacs Lucid Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Michael Sierchio writes: > Date: Fri, 15 Feb 2002 09:39:37 -0800 > From: Michael Sierchio > > It's a 'natd' option, which says not to pass incoming packets (from > the nat'd interface, presumably the external interface) which > aren't part of established "connections" -- the internal translation > table is internal to natd. So then I'm asking how does anything ever get into that table, if incoming packets are all denied? Are SYN packets exempted from -deny_incoming? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 15 10:14:47 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id D9B5937B404 for ; Fri, 15 Feb 2002 10:14:39 -0800 (PST) Received: (qmail 4153 invoked from network); 15 Feb 2002 18:14:38 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 15 Feb 2002 18:14:38 -0000 Message-ID: <3C6D500E.50609@tenebras.com> Date: Fri, 15 Feb 2002 10:14:38 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20020131 X-Accept-Language: en-us MIME-Version: 1.0 To: "Earl A. Killian" Cc: Chris Dillon , "Rogier R. Mulhuijzen" , Luigi Rizzo , freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? References: <5.1.0.14.0.20020214221354.01c37da0@mail.drwilco.net> <15469.17124.999950.13271@sax.killian.com> <3C6D47D9.10003@tenebras.com> <15469.19149.677645.220962@sax.killian.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Earl A. Killian wrote: > So then I'm asking how does anything ever get into that table, if > incoming packets are all denied? Are SYN packets exempted from > -deny_incoming? No, SYN packets aren't exempted. Incoming packets that are associated with a pre-existing connection (or attempt) originating from the inside are permitted. The other option is to set '-target_address', which would redirect such incoming packets to a particular address. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message From owner-freebsd-ipfw Fri Feb 15 10:34:28 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mail.wolves.k12.mo.us (mail.wolves.k12.mo.us [207.160.214.1]) by hub.freebsd.org (Postfix) with ESMTP id 96C0937B404; Fri, 15 Feb 2002 10:34:08 -0800 (PST) Received: from mail.wolves.k12.mo.us (cdillon@mail.wolves.k12.mo.us [207.160.214.1]) by mail.wolves.k12.mo.us (8.9.3/8.9.3) with ESMTP id MAA05061; Fri, 15 Feb 2002 12:34:00 -0600 (CST) (envelope-from cdillon@wolves.k12.mo.us) Date: Fri, 15 Feb 2002 12:33:58 -0600 (CST) From: Chris Dillon To: "Earl A. Killian" Cc: "Rogier R. Mulhuijzen" , Michael Sierchio , Luigi Rizzo , , Subject: Re: Bug in stateful code? In-Reply-To: <15469.17124.999950.13271@sax.killian.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, 15 Feb 2002, Earl A. Killian wrote: > Chris Dillon writes: > > Date: Fri, 15 Feb 2002 10:20:39 -0600 (CST) > > From: Chris Dillon > > > > If you have the luxury of having more than one IP address available > > for the outside interface, you can dedicate one address to natd's use, > > and the other to the host machine. Use -deny_incoming on natd, and > > use whatever rules you want, including stateful, on the non-NAT > > address. This is what I've done and it works fine. > > This sounds promising, but I am confused by the man page on > -deny_incoming. Perhaps you could clarify? It says, "Do not pass > incoming packets that have no entry in the internal translation > table." Which internal translation table do they mean? The translation table in natd. The -deny-incoming option is designed to deny incoming connections to the host, not the internal machines. By design you can't create an incoming connection to internal machines without redirect rules in place anyway. -- Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net FreeBSD: The fastest and most stable server OS on the planet - Available for IA32 (Intel x86) and Alpha architectures - IA64, PowerPC, UltraSPARC, and ARM architectures under development - http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message