----- Original Message ----- 
From: "Ken Bolingbroke" <[EMAIL PROTECTED]>
To: "fbsd_user" <[EMAIL PROTECTED]>
Sent: Monday, January 19, 2004 10:28 PM
Subject: RE: ipfw/nated stateful rules example

> On Mon, 19 Jan 2004, fbsd_user wrote:
> > That's a play on words. And still does not prove stateful rules work on
> > the interface facing the public internet. There is no documentation that
> > says keep-state and limit only works on the interface facing the private
> > Lan network. And the implied meaning is they are to be used on the
> > interface facing the public internet.
> I just jumped in the middle here, so I may be out of context.
> But, stateful rules don't play nice with NAT.  Consider non-NAT, a public
> IP address contacting an Internet address:
> ->
> A rule is created for coming to  When
> replies, the stateful rule lets it in.  This is good.
> But consider NAT:
> changed to ->
> If you do a keep-state before NAT, you have a rule to allow
> to, but the return incoming packet will be ->
>, so the rule doesn't match.
> If you do a keep-state after NAT, then you have a rule to allow
> to  The return incoming packet matches that
> rule, but it accepts the packet and packet processing stops, so it's never
> passed through NAT, and never makes it back to
> So as it stands now, I don't see that you can use stateful connections
> with NAT, unless check-state is changed to allow a packet to be passed
> through NAT.
> Ken Bolingbroke

Ken, try this one. This is what I use here at home and it does indeed work:

Launch NATD with natd -interface ep0 -s -m -u (Only RFC1918 packets get

## Divert everything to NAT.
ipfw add 1 divert natd ip from any to any via ep0

#Prevent inbound spoof attempts for my lan range
ipfw add 10 deny ip from to any in via ep0

#Check State Rules
ipfw add 20 check state

#LAN Allow Stateful
ipfw add 31 allow ip from to any keep-state

#Allow Outbound Stateful.
ipfw add 40 allow ip from 68.12.xx.xx to any keep-state

NAT keeps a seperate table of it's translations to provide a back channel.
Traffic comes in, generates a dynamic ruleset, gets translated, heads out
and creates the 2nd dynamic for the packet. You'll end up with something
like this

ipfw -d list


## Dynamic rules:
00040 4 692 (T 18, slot 215) <-> tcp, 68.12.xx.xx3777<-> 80
00031 35 20374 (T 10, slot 219) <-> udp, 4986<->
00031 3 216 (T 1, slot 483) <-> tcp, 22<-> 3574
00031 16 11902 (T 298, slot 752) <-> tcp, 3777<->

Granted, you'll end up with a dual entry for each packet in stateful space,
but it does work. Perhaps not as intended with a single match but you can
use statful with NAT.


Micheal Patterson
Network Administration
TSG Incorporated

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to