Date: Fri, 15 Feb 2002 16:03:16 -0700 From: "Aaron D. Gifford" <agifford@infowest.com> To: freebsd-net@freebsd.org Cc: drwilco@drwilco.net Subject: Re: Bug in stateful code? Message-ID: <20020215230316.B0CB52159D@ns1.infowest.com>
next in thread | raw e-mail | index | archive | help
"Rogier R. Mulhuijzen" (drwilco@drwilco.net) was heard to say: >>>the reply was that keep-state and natd are very hard to use >>>together, and besides it is rather useless because natd is stateful >>>by itself. >>natd is stateful, but provides no protection for inbound IP traffic >>that is destined for the filtering host itself. > >I have personally looked at natd & stateful ipfw rules, and have concluded >that it logically impossible to get it to work. > >Thus I made a ipfw rulelist that utilizes the statefulness of natd. I hope >this helps you in making your own rulelist. > Actually you CAN use both together, but there's really no reason to do so. One would be duplicating things, since NAT is effectively a stateful filter of sorts. One just has to think things through very carefully, following the flow of packets through the ruleset. My own ruleset I use at home shares some similarities with your set, Rogier. For NAT traffic, I don't use stateful rules -- I let NAT track the state, but for traffic to/from my gateway host, I still use stateful rules. But, the way my ruleset is written, I could drop stateful rules in for the NAT traffic without a hitch. But it would be wasted duplication of effort for the most part. Aaron out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020215230316.B0CB52159D>