does NATd _prevent_ use of stateful ipfw rules w/ keep-state?
Ari Suutari
ari at suutari.iki.fi
Wed Jun 2 22:42:24 PDT 2004
Hi,
> If using NATd, am I relegated to a _static_ ruleset, w/ no ability to use
stateful rules?
I'm running at least two machines with both natd and some stateful rules
(for udp traffic)
Works ok.
The way I did is to have two rules, for example:
check-state
allow udp from internal_network/24 to any 53 keep-state
allow udp from public-ip-address to any 53 keep-state
I *don't* have a rule for my internal interface which passes all traffic
(ie. 'pass ip from any to any via internal-interface-name'
which seems to be common setup, I use the 'via' keyword of ipfw
only on anti-spoofing rules at beginning of my ruleset, all other
rules are then based on ip-addresses only).
The setup above creates two dynamic rules when packets are
going thru. One maches the packet before nat and one after.
Ari S.
More information about the freebsd-ipfw
mailing list