Date: Thu, 24 Jul 2003 13:50:41 -0700 From: Michael Sierchio <kudzu@tenebras.com> To: Sean Chittenden <seanc@FreeBSD.org> Cc: ipfw@FreeBSD.org Subject: Re: Dynamic rules not being matched after divert... Message-ID: <3F2046A1.7070807@tenebras.com> In-Reply-To: <20030724203657.GA415@perrin.int.nxad.com> References: <20030724203657.GA415@perrin.int.nxad.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sean Chittenden wrote: > I'm setting up an ipfw2+natd gateway and am pretty convinced there's a > bug in the way that ipfw2 promotes dynamic rules to being fully > established. I and others have said similar things, but we were simply wrong. The problem is that natd is already a stateful bugger, and when packets match a stateful rule in one direction (after natting, say) they cannot match the rule in the other direction -- addresses won't match. In one case you have the private address, in the other, the public address. This has been discussed before. I'm working on new examples for rc.firewall....
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3F2046A1.7070807>