Skip site navigation (1)Skip section navigation (2)
Date:      06 Dec 2002 01:41:47 +0800
From:      Khairil Yusof <kaeru@pd.jaring.my>
To:        questions@FreeBSD.org
Subject:   natd + ipfw2 + dynamic rules
Message-ID:  <1039109643.451.46.camel@daemon>

next in thread | raw e-mail | index | archive | help

--=-YVzzBDxu7wglWhsJbhjM
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

I just tracked down, that having the line:

add divert natd all from any to any via tun0

No longer works (used to work with ipfw) man page says this:

According to man, packets diverted to userland and reinserted lose their
attributes.

The following rules work:

allow icmp from any to any
allow udp from any to 161.142.1.17 53 via tun0=20
allow udp from 161.142.1.17 53 to any via tun0=20

But stateful rules like below don't:

add allow tcp from any to any out xmit tun0 setup=20
add allow tcp from any to any via tun0 established
add allow udp from any to 61.6.32.62 123 keep-state

So, does this mean that a tcp packet goes out sets up a dynamic rule
before going out via natd. But coming in.. it is diverted via natd,
loses some info about state, and doesn't get passed through any rules?

For the tcp dynamic rules,=20
10 packets get diverted by natd rule
5 packets match the tcp rule via tun0 setup
0 packets are denied by the last deny all rule.

What happened to the packets that are supposed to be coming in via the
setup rule?

What's the proper way to do natd with ipfw2?

So far, it's the only problem with my recent testing of current :(. As a
relative newbie, updating from src was painless.=20

So it looks like it will be a pretty smooth upgrade for FreeBSD 5.0.
It's amazing how well the FreeBSD team does things.

Any help much appreciated as always.

--=20
Khairil Yusof <kaeru@pd.jaring.my>

--=-YVzzBDxu7wglWhsJbhjM
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQA9744LDAqnLW/+/X8RAlt1AKCiy5LeIdZmZ99vKpNSkRULOtkP3gCg0EPH
B84+HQzzR7H4LvuVciK4QJQ=
=buEZ
-----END PGP SIGNATURE-----

--=-YVzzBDxu7wglWhsJbhjM--


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1039109643.451.46.camel>