From owner-freebsd-ipfw Sat Aug 3 12:21:16 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4288037B400 for ; Sat, 3 Aug 2002 12:21:13 -0700 (PDT) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 8D30143E3B for ; Sat, 3 Aug 2002 12:21:01 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 15672 invoked from network); 3 Aug 2002 19:21:00 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 3 Aug 2002 19:21:00 -0000 Message-ID: <3D4C2D1C.5020900@tenebras.com> Date: Sat, 03 Aug 2002 12:21:00 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020717 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: barbish@a1poweruser.com Cc: "Crist J. Clark" , FBIPFW , archie@whistle.com, cmott@scientech.com, perhaps@yes.no, suutari@iki.fi, dnelson@redwoodsoft.com, brian@awfulhak.org, ru@FreeBSD.org, rizzo@icir.org Subject: Re: natd & keep-state References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Joe & Fhe Barbish wrote: > So Crist we meet again. [scads of drivel deleted] As Crist stated, ipfw stateful rules and natd aren't inherently compatible, but it is possible to use them together. This is facilitated by using at least two IP addresses on the outside interface, and some non-intuitive rules. A brief snippet: # fw="/sbin/ipfw -q" ipaddr1="145.X.X.12" ipaddr2="145.X.X.14" # some rules skipped for this example #note the asymmetry $fw add 02000 divert natd ip from any to $ipaddr2 in recv $oif $fw add 02000 divert natd ip from any to any out xmit $oif $fw add 02400 check-state $fw add 02500 allow icmp from any to any icmptype 0,3,8,11 # natd is invoked with 'deny_incoming' $fw add 02620 allow ip from $ipaddr2 to any $fw add 02630 allow ip from any to $ipaddr2 $fw add 05800 allow udp from $ipaddr1 to any keep-state $fw add 05900 allow tcp from $ipaddr1 to any setup keep-state $fw add 65000 deny ip from any to any ~ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message