Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Jul 2002 14:47:58 +0000
From:      Philip Reynolds <>
Subject:   4.6-RELEASE / NATD + IPFW + keep-state
Message-ID:  <>

Next in thread | Raw E-Mail | Index | Archive | Help

I'm having a few problems with using natd and ipfw.

Originally, I was having serious serious problems trying to get
stateful firewalling working with NAT. 

Currently my setup is the following:

Public Interface: xl0
Interface address:
Subnet mask:

Private interface: xl1
Interface Address:
Subnet mask:

I am doing NAT on anything going out through xl0 from
However, I want a default DENY policy, with a few stateful rules to
allow ssh, http-proxy and smtp (just common examples, I have plenty
more contrived wishes once this is up and working).

    divert 8668 ip from any to any
    allow ip from to via xl1
    allow tcp from any to not 22 keep-state setup
    deny ip from any to any

After quite a lot of painful testing, I came up with the above

1. NAT everything going through xl0 (this can be refined later)
2. check the state of the packet.
3. allow stuff through on in inside interface, from a machine on the
inside network to another machine on the inside network.
4. allow a setup packet (SYN but no ACK) from machine on inside
network to a machine on the outside network (to a port of 22), and
keep it's state.
5. Deny everything else

This works, but not the way it should, as I'll explain below.

Once a connection is made to the machine, ``ipfw -d list'' brings up
the following in it's dynamic ruleset.

00100 11 726 (T 19, slot 137) <-> tcp, 3245<->
00100 33 3958 (T 299, slot 179) <-> tcp, 3245<->

There are two connections showing and the first is actually a SYN
packet, while the second is an ACK. How it's obvious (at least to
me) is the value beside the T (i.e. the timeout value). The first,
counts down from 20, the second from 300 (the default values of
net.inet.ip.fw.dyn_syn_lifetime and net.inet.ip.fw.dyn_ack_lifetime

Basically, in ssh-like connections, this means pumping up
net.inet.ip.fw.dyn_ack_lifetime _AND_
net.inet.ip.fw.dyn_syn_lifetime, which I'm a little wary of.

Is what's happening OK? Is there a different way I could order/write
the ruleset to have some "normal" stateful connections.

Packet comes in on inside interface.
Packet matches access rule with keep-state option and gets added to
dynamic ruleset
Packet NAT'd

Packet comes in on outside interface
Packet gets NAT'd
Packet matches check-state rule 

If anyone has any light to shed on the subject I would be very
grateful. I've spent the last 2 hours or so digging up material
(there's not a whole lot) on ipfw/nat/stateful firewalling,
searching the archives etc. but nothing that will explain the above
behaviour or give me a working alternative.

Philip Reynolds                  | Technical Director  | RFC Networks Ltd.       | +353 (0)1 8832063

To Unsubscribe: send mail to
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <>