You have run into the IPFW legacy divert/nated subroutine bug. IPFW
stateful rules and divert/nate do not work together. IPFW stateful
rules only work in non-NATed environment. You need to use
IPFILTER/IPNAT the other firewall software application which is
built into FBSD. The FBSD handbook does not even tell you that FBSD
has more than one firewall. Smart move to want an stateful firewall
they provide the max in protection.


To see the FAQ

I use ipfilter and do exactly what you want. IF you want copy of my
rules let me know.

As of July 2003 the OpenBSD firewall software application named PF
was ported to FBSD. It's scheduled to become the third firewall
software application delivered with the FBSD install with the next
stable production release.
You can find it in the FBSD ports collection here

More Info can be found here

-----Original Message-----
[mailto:[EMAIL PROTECTED] Behalf Of Mihai Marie
Sent: Thursday, February 26, 2004 3:12 AM
Subject: stateful firewall


I want to setup a firewall (on my LAN's gateway) so that the only
traffic that pass through is the one initiated from my local network
have public IP's).

My firewall looks like this

ipfw add check-state
ipfw add deny tcp from any to any established
ipfw add allow tcp from $my_lan to any setup keep-state

The problems appear when I want to make some ftp traffic with a
that is outside (or any other traffic that tries to open a new
connection in relation with the one initiated from our LAN).

With iptables (in redhat) you can do:

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

but I don't know how can I do something like this using ipfw or
firewall on FreeBSD.

Any help would be appreciated,

Mihai Marie

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to