Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 3 Jun 2004 07:00:04 -0000
From:      Thomas Wolf <tw@wsf.at>
To:        Barbish3@adelphia.net, freebsd-ipfw@freebsd.org
Subject:   RE: does NATd _prevent_ use of stateful ipfw rules w/ keep-state?
Message-ID:  <20040603090004.fsp0rm3wehw0k8@.mailhost.wsf.at>

Next in thread | Raw E-Mail | Index | Archive | Help

JJB <Barbish3@adelphia.net> schrieb:

> Where do you get off calling my questioning of Luigi Rizzo's answer
> as an attack.
> I have heard that party line statement all to often over that last 4
> years, with no backup proof. That party line canned answer may be
> sufficient for the original thread poster who has not invested the
> time yet to come to the realization that it doe's not work.
> My post to the tread was meant to bring this problem out so the
> experts can look into it and take corrective actions.

This should work although some features are missing
(loopback, anti-spoofing, identd..):

#!/bin/sh
log="log"
cmd="ipfw add"
allow="skipto 10000"
oif=rl0
good_tcp="22,25,53,80,443,110"
good_udp="53"
good_icmp="icmptypes 0,3,8,11,12"
ipfw -f flush

$cmd 100 divert natd ip from any to any in via $oif
$cmd 105 check-state
$cmd 110 $allow icmp from any to any $good_icmp
$cmd 120 $allow udp from any to any $good_udp out keep-state
$cmd 130 $allow tcp from any to any $good_tcp out setup keep-state
$cmd 140 deny $log ip from any to any
$cmd 10000 divert natd ip from any to any out via $oif
$cmd 10010 allow ip from any to any
$cmd 10020 deny ip from any to any


Thomas

--
Thomas Wolf
Wiener Software Fabrik
Dubas u. Wolf GMBH
1050 Wien, Mittersteig 4



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20040603090004.fsp0rm3wehw0k8>