Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 3 Jun 2004 07:00:04 -0000
From:      Thomas Wolf <>
Subject:   RE: does NATd _prevent_ use of stateful ipfw rules w/ keep-state?
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

JJB <> schrieb:

> Where do you get off calling my questioning of Luigi Rizzo's answer
> as an attack.
> I have heard that party line statement all to often over that last 4
> years, with no backup proof. That party line canned answer may be
> sufficient for the original thread poster who has not invested the
> time yet to come to the realization that it doe's not work.
> My post to the tread was meant to bring this problem out so the
> experts can look into it and take corrective actions.

This should work although some features are missing
(loopback, anti-spoofing, identd..):

cmd="ipfw add"
allow="skipto 10000"
good_icmp="icmptypes 0,3,8,11,12"
ipfw -f flush

$cmd 100 divert natd ip from any to any in via $oif
$cmd 105 check-state
$cmd 110 $allow icmp from any to any $good_icmp
$cmd 120 $allow udp from any to any $good_udp out keep-state
$cmd 130 $allow tcp from any to any $good_tcp out setup keep-state
$cmd 140 deny $log ip from any to any
$cmd 10000 divert natd ip from any to any out via $oif
$cmd 10010 allow ip from any to any
$cmd 10020 deny ip from any to any


Thomas Wolf
Wiener Software Fabrik
Dubas u. Wolf GMBH
1050 Wien, Mittersteig 4

Want to link to this message? Use this URL: <>