IPFW: combining "divert natd" with "keep-state"
Subscriber
subscriber at insignia.com
Thu Jun 12 05:00:22 PDT 2003
> -----Original Message-----
> From: Greg Panula [mailto:greg.panula at dolaninformation.com]
> Sent: 11 June 2003 13:21
> To: Subscriber
> Cc: freebsd-security at freebsd.org
> Subject: Re: IPFW: combining "divert natd" with "keep-state"
>
> ## Example ##
> fxp0 = external nic
> xl0 = internal nic
> internal network = 10.10.10.0/24
> internal traffic NAT'd to 1.2.3.4
>
> ## handle nat traffic
> 100 divert 8668 ip from 10.10.10.0/24 to any out via fxp0
> 200 divert 8668 ip from any to 1.2.3.4 in via fxp0
>
> 300 check-state
>
> ## dynamic rules for internal clients access to everything
> ## needed so un-nat'd return traffic can flow out the
> ## internal nic to the internal clients
> 400 allow tcp from 10.10.10.0/24 to any keep-state via xl0
> 500 allow udp from 10.10.10.0/24 to any keep-state via xl0
Thanks, for some reason I was fixated on putting all
the rules on the external interface and having
pass all from any to any via xl0
as the first rule in the list.
I'll give this a go.
Jim
More information about the freebsd-security
mailing list