Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 30 Jan 2003 10:32:21 -0800
From:      Michael Sierchio <kudzu@tenebras.com>
To:        barbish@a1poweruser.com
Cc:        Nick Rogness <nick@rogness.net>, "Simon L. Nielsen" <simon@nitro.dk>, freebsd-ipfw@FreeBSD.ORG
Subject:   Re: Error in ipfw manpage for stateful rules?
Message-ID:  <3E396FB5.90406@tenebras.com>
In-Reply-To: <MIEPLLIBMLEEABPDBIEGMENPDEAA.barbish@a1poweruser.com>
References:  <MIEPLLIBMLEEABPDBIEGMENPDEAA.barbish@a1poweruser.com>

next in thread | previous in thread | raw e-mail | index | archive | help
JoeB wrote:

>
> S again I state  that the documentation for keep-state rules using
> IPFW/NATD do not contain the information to create an fully enabled
> keep-state firewall using the IPFW/NATD function.

There are subtleties in integrating natd and stateful ipfirewall rules,
and these aren't covered in the examples.  It's fairly easy to see
where the difficulty is, though, if you understand how the stateful
rules work -- they are looking for SYN/ACK and ACK packets that match
the parent rule, so take care when rewriting addresses so you get
matching packets!

It may be that you need to use skipto rules to separate inbound and outbound
packets.

Also note:  it is documented but frequently forgotten that nat'd packets,
or any packets passed via DIVERT, lose information -- such as which
interface the packet was received on.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E396FB5.90406>