Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 3 Aug 2002 00:03:40 -0700
From:      "Crist J. Clark" <>
To:        Joe & Fhe Barbish <>
Cc:        FBIPFW <freebsd-ipfw@FreeBSD.ORG>
Subject:   Re: natd & keep-state
Message-ID:  <>
In-Reply-To: <>
References:  <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, Jul 31, 2002 at 10:07:59PM -0400, Joe & Fhe Barbish wrote:
> IPFW list members
> Advanced Stateful extensions were introduced in FBSD 4.0. When they
> first can out I changed my ipfw rules from stateless and simple
> stateful to using only Advanced Stateful rules for my user
> ppp -nat ISP connection. The ipfw rule set that works with user
> ppp -nat is posted below. I have tried to get this same rules file to
> function exchanging user ppp -nat for ipfw natd. There was always
> problems with natd ip address and the dynamic rules table getting
> mismatches so I went back to user ppp -nat. Every new version of FBSD
> I would try again to use natd hopping there may have been some fixes
> to natd, but no such luck. Each new version still failed. Each time I
> would post questions to the FBSD questions list, but most of the
> replies were from people who were having the same problems with natd
> and keep-state rules that I was. Well now I am forced to address the
> problem again because I now have cable access to the internet and I
> can no longer use the -nat function of user ppp. So this time I joined
> this ipfw list hoping my post will be read by a larger group of people
> who have an very technical understanding of IPFW/NATD and the Advanced
> Stateful extensions check-state / keep-state who will be able to
> Provide a solution or come to the realization that there is a bug
> that needs fixing.

Deja vu. I think we've been through this before,

There is not a bug. ipfw(8) and natd(8) both work as intended. It
happens that 'keep-state' and natd(8) tend not to work very well
together without some serious rule gymnastics.

But as I think I have mentioned to you before, when you use stateless
ipfw(8) rules in combination with natd(8), you can end up with a
stateful firewall. It may be easier to do that than try to pound
'keep-state' and natd(8) into submission.
Crist J. Clark                     |
                                   |    |

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>