From owner-freebsd-questions@FreeBSD.ORG Mon Jan 19 20:28:24 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0B37616A4CE for ; Mon, 19 Jan 2004 20:28:24 -0800 (PST) Received: from fremont.bolingbroke.com (adsl-216-102-90-210.dsl.snfc21.pacbell.net [216.102.90.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id C001843D53 for ; Mon, 19 Jan 2004 20:28:22 -0800 (PST) (envelope-from hacker@bolingbroke.com) Received: from localhost (localhost [127.0.0.1])i0K4SHSe027174; Mon, 19 Jan 2004 20:28:17 -0800 (PST) (envelope-from hacker@bolingbroke.com) Date: Mon, 19 Jan 2004 20:28:17 -0800 (PST) From: Ken Bolingbroke X-X-Sender: ken@fremont.bolingbroke.com To: fbsd_user In-Reply-To: Message-ID: <20040119201738.B30318@fremont.bolingbroke.com> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-questions@freebsd.org Subject: RE: ipfw/nated stateful rules example X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 Jan 2004 04:28:24 -0000 On Mon, 19 Jan 2004, fbsd_user wrote: > That's a play on words. And still does not prove stateful rules work on > the interface facing the public internet. There is no documentation that > says keep-state and limit only works on the interface facing the private > Lan network. And the implied meaning is they are to be used on the > interface facing the public internet. I just jumped in the middle here, so I may be out of context. But, stateful rules don't play nice with NAT. Consider non-NAT, a public IP address contacting an Internet address: 67.161.59.61 -> 66.218.71.91 A rule is created for 66.218.71.91 coming to 67.161.59.61. When 66.218.71.91 replies, the stateful rule lets it in. This is good. But consider NAT: 10.0.0.10 changed to 67.161.59.61 -> 66.218.71.91 If you do a keep-state before NAT, you have a rule to allow 66.218.71.91 to 10.0.0.10, but the return incoming packet will be 66.218.71.91 -> 67.161.59.61, so the rule doesn't match. If you do a keep-state after NAT, then you have a rule to allow 66.218.71.91 to 67.161.59.61. The return incoming packet matches that rule, but it accepts the packet and packet processing stops, so it's never passed through NAT, and never makes it back to 10.0.0.10. So as it stands now, I don't see that you can use stateful connections with NAT, unless check-state is changed to allow a packet to be passed through NAT. Ken Bolingbroke hacker@bolingbroke.com