Date: Thu, 3 Jun 2004 08:42:17 +0300 From: "Ari Suutari" <ari@suutari.iki.fi> To: "OpenMacNews" <freebsd-ipfw.20.openmacews@spamgourmet.com>, "freebsd-ipfw" <freebsd-ipfw@freebsd.org> Subject: Re: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? Message-ID: <030301c4492d$89962150$2508473e@sad.syncrontech.com> References: <DAC6B2F195AD44196B3A03F5@[172.30.11.6]>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
> If using NATd, am I relegated to a _static_ ruleset, w/ no ability to use
stateful rules?
I'm running at least two machines with both natd and some stateful rules
(for udp traffic)
Works ok.
The way I did is to have two rules, for example:
check-state
allow udp from internal_network/24 to any 53 keep-state
allow udp from public-ip-address to any 53 keep-state
I *don't* have a rule for my internal interface which passes all traffic
(ie. 'pass ip from any to any via internal-interface-name'
which seems to be common setup, I use the 'via' keyword of ipfw
only on anti-spoofing rules at beginning of my ruleset, all other
rules are then based on ip-addresses only).
The setup above creates two dynamic rules when packets are
going thru. One maches the packet before nat and one after.
Ari S.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?030301c4492d$89962150$2508473e>