From owner-freebsd-ipfw Mon Jul 29 15:32:20 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8123737B400 for ; Mon, 29 Jul 2002 15:32:17 -0700 (PDT) Received: from xy.blank.spb.ru (xy.blank.spb.ru [194.67.6.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 668EB43E31 for ; Mon, 29 Jul 2002 15:32:16 -0700 (PDT) (envelope-from borman@blank.spb.ru) Received: from xy.blank.spb.ru (localhost.blank.spb.ru [127.0.0.1]) by xy.blank.spb.ru (8.12.3/8.12.3/blank) with ESMTP id g6TMWEKj001830; Tue, 30 Jul 2002 02:32:14 +0400 (MSD) (envelope-from borman@xy.blank.spb.ru) Received: (from borman@localhost) by xy.blank.spb.ru (8.12.3/8.12.3/Submit) id g6TMWEeF001829; Tue, 30 Jul 2002 02:32:14 +0400 (MSD) Date: Tue, 30 Jul 2002 02:32:14 +0400 From: boris karlov To: Philip Reynolds Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: 4.6-RELEASE / NATD + IPFW + keep-state Message-ID: <20020729223214.GB1488@xy.blank.spb.ru> Mail-Followup-To: Philip Reynolds , freebsd-ipfw@FreeBSD.ORG References: <20020729144758.A11849@rfc-networks.ie> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20020729144758.A11849@rfc-networks.ie> User-Agent: Mutt/1.4i Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Mon, 29 Jul 2002 14:47:58 +0000, Philip Reynolds wrote: > > divert 8668 ip from any to any -- mb, divert 8668 ip from any to any via xl0? > check-state > allow ip from 10.0.1.0/24 to 10.0.1.0/24 via xl1 > allow tcp from any to not 10.0.1.0/24 22 keep-state setup > deny ip from any to any > > Once a connection is made to the machine, ``ipfw -d list'' brings up > the following in it's dynamic ruleset. > > 00100 11 726 (T 19, slot 137) <-> tcp, 10.0.0.1 3245<-> 10.0.0.10 22 > 00100 33 3958 (T 299, slot 179) <-> tcp, 10.0.1.2 3245<-> 10.0.0.10 22 -- IMHO: these packets are processed twice by ipfw(8) as for packets routed by the host (acting as a gateway) (see ipfw(8), `IMPLEMENTATION NOTES' section). you should alias only outgoing packets before next hop forwarding but not incoming ones after reception on an IP interface (see divert(4), `READING PACKETS' section). > > > Is what's happening OK? Is there a different way I could order/write > the ruleset to have some "normal" stateful connections. > i.e. > > Packet comes in on inside interface. > Packet matches access rule with keep-state option and gets added to > dynamic ruleset > Packet NAT'd -- it seems you forgot `Packet comes out from outside interface and gets NATed too' here. > > Packet comes in on outside interface > Packet gets NAT'd > Packet matches check-state rule > regards, boris karlov. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message