You have run into the IPFW legacy divert/nated subroutine bug. IPFW stateful rules and divert/nate do not work together. IPFW stateful rules only work in non-NATed environment. You need to use IPFILTER/IPNAT the other firewall software application which is built into FBSD. The FBSD handbook does not even tell you that FBSD has more than one firewall. Smart move to want an stateful firewall they provide the max in protection.
see, http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1 http://coombs.anu.edu.au/~avalon/ip-filter.html To see the FAQ http://www.phildev.net/ipf/index.html I use ipfilter and do exactly what you want. IF you want copy of my rules let me know. As of July 2003 the OpenBSD firewall software application named PF was ported to FBSD. It's scheduled to become the third firewall software application delivered with the FBSD install with the next stable production release. You can find it in the FBSD ports collection here http://www.freebsd.org/cgi/ports.cgi?query=pf&stype=all&release=4.9- STABLE%2Fi386 More Info can be found here http://pf4freebsd.love2party.net/index.html -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mihai Marie Sent: Thursday, February 26, 2004 3:12 AM To: [EMAIL PROTECTED] Subject: stateful firewall Hello, I want to setup a firewall (on my LAN's gateway) so that the only traffic that pass through is the one initiated from my local network (we have public IP's). My firewall looks like this ipfw add check-state ipfw add deny tcp from any to any established ipfw add allow tcp from $my_lan to any setup keep-state The problems appear when I want to make some ftp traffic with a server that is outside (or any other traffic that tries to open a new separated connection in relation with the one initiated from our LAN). With iptables (in redhat) you can do: iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT but I don't know how can I do something like this using ipfw or another firewall on FreeBSD. Any help would be appreciated, Mihai Marie _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"