RE: IPFW: combining "divert natd" with "keep-state"

From: Subscriber (subscriber_at_insignia.com)
Date: 06/12/03

  • Next message: Gerhard Sittig: "Re: Impossible to IPfilter this?" 
    To: "'freebsd-security@freebsd.org'" <freebsd-security@freebsd.org>
Date: Thu, 12 Jun 2003 13:00:18 +0100

    > -----Original Message-----
    > From: Greg Panula [mailto:greg.panula@dolaninformation.com]
    > Sent: 11 June 2003 13:21
    > To: Subscriber
    > Cc: freebsd-security@freebsd.org
    > Subject: Re: IPFW: combining "divert natd" with "keep-state"
    >
    > ## Example ##
    > fxp0 = external nic
    > xl0 = internal nic
    > internal network = 10.10.10.0/24
    > internal traffic NAT'd to 1.2.3.4
    >
    > ## handle nat traffic
    > 100 divert 8668 ip from 10.10.10.0/24 to any out via fxp0
    > 200 divert 8668 ip from any to 1.2.3.4 in via fxp0
    >
    > 300 check-state
    >
    > ## dynamic rules for internal clients access to everything
    > ## needed so un-nat'd return traffic can flow out the
    > ## internal nic to the internal clients
    > 400 allow tcp from 10.10.10.0/24 to any keep-state via xl0
    > 500 allow udp from 10.10.10.0/24 to any keep-state via xl0

    Thanks, for some reason I was fixated on putting all
    the rules on the external interface and having
    pass all from any to any via xl0
    as the first rule in the list.

    I'll give this a go.
    Jim
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Gerhard Sittig: "Re: Impossible to IPfilter this?"