Re: ipfw, natd, and keep-state - strange behavior?

From: Pierre-Olivier Fur (
Date: 09/12/02

Date: Thu, 12 Sep 2002 17:13:10 +0000
From: Pierre-Olivier Fur <>
To: dfolkins <>

To me you should try ipf/ipnat, it's much more easier, efficiency and
much more stateful ;) In a few words it's the best. Once you try it and
never you leave it...

Good luck with ipfw ;)

dfolkins wrote:
> hi,
> pretty sure that this is appropriate for -security, but if it is not, i
> apologize in advance.
> i have a fbsd 4.6 router box sitting between a local net (192.168.0) and a
> single actual ip from a cable modem. naturally, ive set up nat and ipfw on
> it, but instead of going the old way with the semi-stateful rules i decided
> to go with keep-state/check-state. but problems arise with outgoing ssh
> connections. here is the relevant portion of my ipfw rules:
> #set up NAT
> ${fwcmd} add 00050 divert natd all from any to any via ${oif}
> # Allow the packet through if it has previous been added to the
> # the "dynamic" rules table by an allow keep-state statement.
> $fwcmd add 00200 check-state
> # Run all private LAN $iif packet traffic through the dynamic rules
> # table so the IP addresses are in sync with Natd.
> $fwcmd add 00220 allow all from any to any via $iif keep-state
> # Deny all fragments as bogus packets
> $fwcmd add 00240 deny log all from any to any frag in via $oif
> # Deny ACK packets that did not match the dynamic rule table
> $fwcmd add 00260 deny log tcp from any to any established in via $oif
> # Allow out ssh connections
> $fwcmd add 00640 allow tcp from any to any 22 out via $oif setup keep-state
> seems like this should work. initiating an ssh connection with an external
> host, and checking the dynamic rules (ipfw -ad list), the following two
> rules are generated:
> 00220 84 12080 (T 599, slot 109) <-> tcp, 3106<-> {external
> host ip} 22
> 00640 26 2130 (T 19, slot 166) <-> tcp, {my external ip} 3106<-> {external
> host ip} 22
> the rule for my external ip, though, only gets the lifetime value from the
> syn_lifetime sysctl var, which is 20 seconds, and only the first rule
> apparently gets the acks through it and gets a 600sec lifetime that is set
> in ack_lifetime. any other packets sent through teh connections reset the
> lifetime of the above two rules to 600 and 20 again. this would not trouble
> me otherwise, but as soon as the second rule (20 sec) expires, the ssh
> connection dies.
> when i remove the word "setup" from rule 640, though, ssh connection does
> not die. the same two dynamic rules are created, with the same lifetimes,
> but when the short-lived rule expires the connection is still there, upon
> sending any data through it the short-lived rule does not get recreated. i
> am kinda stumped here.
> any ideas? whats wrong with my rules? any help would be appreciated.
> --
> df
> To Unsubscribe: send mail to
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message