There seems to be confusion as soon as IPFW is used for NAT and for stateful dynamic rules.

My ruleset so far contains the below rules, and I wonder if someone can tell me if there's anything incorrect about them (with regard to correctly using NAT and dynamic rulesets):

bash-2.05b# ipfw -a list
00100 3155 1100714 divert 8668 ip from any to any via rl0
00200    0       0 check-state
00300  200   25128 allow ip from me to me
00400 1991  131910 allow ip from to any keep-state
00500 3928 2038665 allow ip from to any keep-state
65535    1     338 deny ip from any to any

I'm not asking if these rules are battleship secure - I'm sure I have a lot of work to 
do yet in creating a tigher ruleset. What I want to know is: are these rules correctly 
allowing NAT to work with dynamic rules, or is there some gaping security flaw that 
I'm missing?

With the above rules, I can use the gateway machine to connect to the Internet (well, 
any website of my choice), and I can also use a machine on the 192.168.1 subnet to 
connect through the gateway to any website, mail server, etc. So NAT seems to be 

If I remove the keep-state option from the 192.168.1 line, then the LAN machine can 
send a request to a website, but never gets a reply. Removing the keep-state from the 
192.168.0 line stops the gateway asking for pages. So the dynamic rule system seems to 
be working.

So it would seem that NAT and dynamic rules are working harmoniously together. But how 
naive am I being? What might I be missing?

Also, if I have got them working together correctly, why do I end up with a lot of 
packets denied by the `deny ip from any to any` rule? What are these few packets, and 
what tried to send them? Any ideas?

(By The Way... I remember why I stopped using Usenet all those years ago - have you 
seen what's being done to c.u.b.freebsd.misc lately? Not the correct way to promote 
Windows and discredit Linux.)

[EMAIL PROTECTED] mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to