Date: Thu, 30 Jan 2003 10:32:21 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: barbish@a1poweruser.com Cc: Nick Rogness <nick@rogness.net>, "Simon L. Nielsen" <simon@nitro.dk>, freebsd-ipfw@FreeBSD.ORG Subject: Re: Error in ipfw manpage for stateful rules? Message-ID: <3E396FB5.90406@tenebras.com> In-Reply-To: <MIEPLLIBMLEEABPDBIEGMENPDEAA.barbish@a1poweruser.com> References: <MIEPLLIBMLEEABPDBIEGMENPDEAA.barbish@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
JoeB wrote: > > S again I state that the documentation for keep-state rules using > IPFW/NATD do not contain the information to create an fully enabled > keep-state firewall using the IPFW/NATD function. There are subtleties in integrating natd and stateful ipfirewall rules, and these aren't covered in the examples. It's fairly easy to see where the difficulty is, though, if you understand how the stateful rules work -- they are looking for SYN/ACK and ACK packets that match the parent rule, so take care when rewriting addresses so you get matching packets! It may be that you need to use skipto rules to separate inbound and outbound packets. Also note: it is documented but frequently forgotten that nat'd packets, or any packets passed via DIVERT, lose information -- such as which interface the packet was received on. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E396FB5.90406>