From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 3 00:03:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7ABF16A4CE for ; Thu, 3 Jun 2004 00:03:13 -0700 (PDT) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0A1543D54 for ; Thu, 3 Jun 2004 00:03:11 -0700 (PDT) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i53705BY055278 for ; Thu, 3 Jun 2004 09:00:05 +0200 (CEST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i53704dn055265; Thu, 3 Jun 2004 09:00:04 +0200 (CEST) (envelope-from tw@wsf.at) Date: Thu, 3 Jun 2004 07:00:04 -0000 To: Barbish3@adelphia.net, freebsd-ipfw@freebsd.org From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040603090004.fsp0rm3wehw0k8@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: RE: does NATd _prevent_ use of stateful ipfw rules w/ keep-state? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Jun 2004 07:03:13 -0000 JJB schrieb: > Where do you get off calling my questioning of Luigi Rizzo's answer > as an attack. > I have heard that party line statement all to often over that last 4 > years, with no backup proof. That party line canned answer may be > sufficient for the original thread poster who has not invested the > time yet to come to the realization that it doe's not work. > My post to the tread was meant to bring this problem out so the > experts can look into it and take corrective actions. This should work although some features are missing (loopback, anti-spoofing, identd..): #!/bin/sh log="log" cmd="ipfw add" allow="skipto 10000" oif=rl0 good_tcp="22,25,53,80,443,110" good_udp="53" good_icmp="icmptypes 0,3,8,11,12" ipfw -f flush $cmd 100 divert natd ip from any to any in via $oif $cmd 105 check-state $cmd 110 $allow icmp from any to any $good_icmp $cmd 120 $allow udp from any to any $good_udp out keep-state $cmd 130 $allow tcp from any to any $good_tcp out setup keep-state $cmd 140 deny $log ip from any to any $cmd 10000 divert natd ip from any to any out via $oif $cmd 10010 allow ip from any to any $cmd 10020 deny ip from any to any Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4