does NATd _prevent_ use of stateful ipfw rules w/ keep-state?
Ari Suutari
ari at suutari.iki.fi
Wed Jun 2 23:04:27 PDT 2004
Hi,
> > check-state
> > allow udp from internal_network/24 to any 53 keep-state
> > allow udp from public-ip-address to any 53 keep-state
>
> ok. this is the "dual rules" approach that I'd read about.
>
> is it IPFW that's "managing" state, then, or NATd, or both? i.e.,
check-state checks WHICH tables?
Well, both. 'check-state' checks ipfw's tables. Natd does it's own
checking.
>
> > I *don't* have a rule for my internal interface which passes all
traffic
> > (ie. 'pass ip from any to any via internal-interface-name'
> > which seems to be common setup, I use the 'via' keyword of ipfw
> > only on anti-spoofing rules at beginning of my ruleset, all other
> > rules are then based on ip-addresses only).
> >
> > The setup above creates two dynamic rules when packets are
> > going thru. One maches the packet before nat and one after.
>
> in your example, how have you setup your NAT divert statement? are you
using any "fwd" statements in conjunction? i'm asking in relation to my
_other_post:
My divert statement is very much like in the standard /etc/rc.firewall.
Ari S.
More information about the freebsd-ipfw
mailing list