IPFW: combining "divert natd" with "keep-state"

Ruslan Ermilov ru at freebsd.org
Wed Jun 11 04:20:42 PDT 2003


On Wed, Jun 11, 2003 at 11:05:00AM +0100, Subscriber wrote:
> I've been using ipfw for a while to create a router with NAT
> and packet filtering, but have never combined it with
> stateful filtering, instead using things like "established" to
> accept incoming TCP packets which are part of a conversation
> initiated from the "inside".
> 
> I'd like to move to using keep-state/check-state to get tighter
> filtering and also to allow outgoing UDP and the replies, which
> currently I block.
> 
> But I just can't get my head around how to do this. On the way
> out, should the dynamic rules be created to match the pre-NAT
> or post-NAT packets?
> 
> The man pages are good at explaining both NAT and dynamic
> rules but not both in combination.
> 
Jim,

Attached is the conversation I had with Luigi Rizzo exactly
three years ago on this topic.  Maybe it is still helpful.


Cheers,
-- 
Ruslan Ermilov		Sysadmin and DBA,
ru at sunbay.com		Sunbay Software Ltd,
ru at FreeBSD.org		FreeBSD committer
-------------- next part --------------
An embedded message was scrubbed...
From: Ruslan Ermilov <ru at FreeBSD.org>
Subject: [IPFW] keep-state/check-state with divert
Date: Thu, 8 Jun 2000 23:20:52 +0300
Size: 3682
Url: http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030611/8d8c5778/attachment.eml
-------------- next part --------------
An embedded message was scrubbed...
From: Luigi Rizzo <luigi at info.iet.unipi.it>
Subject: Re: [IPFW] keep-state/check-state with divert
Date: Fri, 9 Jun 2000 07:25:34 +0200 (CEST)
Size: 5386
Url: http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030611/8d8c5778/attachment-0001.eml
-------------- next part --------------
An embedded message was scrubbed...
From: Ruslan Ermilov <ru at FreeBSD.org>
Subject: Re: [IPFW] keep-state/check-state with divert
Date: Wed, 14 Jun 2000 10:19:53 +0300
Size: 2570
Url: http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030611/8d8c5778/attachment-0002.eml
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030611/8d8c5778/attachment.bin


More information about the freebsd-security mailing list