Re: ipfw/nated stateful rules example

• Previous message: Robert Fitzpatrick: "Re: [5.2] Startup script won't install"
• In reply to: fbsd_user: "RE: ipfw/nated stateful rules example"
• Next in thread: Micheal Patterson: "Re: ipfw/nated stateful rules example"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Tue, 20 Jan 2004 15:24:45 +0000
To: fbsd_user@a1poweruser.com

fbsd_user wrote:

> The conclusion so far is that ipfw1 and ipfw2 using keep-state rules
> on the interface facing the public internet with divert/nated does
> not work period.

Probably my post hasn't reached you yet. I think you are mistaken if you mean
that keep-state rules cannot be securely used in a NAT configuration -- see
two examples in my post. The mistake I believe you are making is in talking
about only the public-internet facing interface. What you are trying to do is
to ensure that *conversations* from anywhere on your internal network can be
keep-stated when talking to the external network. But the packets *start* on
the internal facing interface. It just so happens that without NAT you can
ignore this bit of the conversation, but once you include it, you cannot.

In any case, my somewhat messy example which puts the keep-state on a skipto
rule still manages without *looking* at the internal interface, though it does
take into consideration the whole conversation.

> Still would like to be proved wrong on my conclusion.

If you find any bugs in the two alternatives I posted then I would love to know.

--Alex
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

• Previous message: Robert Fitzpatrick: "Re: [5.2] Startup script won't install"
• In reply to: fbsd_user: "RE: ipfw/nated stateful rules example"
• Next in thread: Micheal Patterson: "Re: ipfw/nated stateful rules example"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages Re: Problem configuring NAT to share Internet Connection ... One of my NICs in the server connect to a DSL ... modem and it connects to internet. ... > interface, that connects to the DSL modem, LAN interface, that connects to ... >> 7.- To connect server to Internet, I create a new network connection. ... (microsoft.public.win2000.ras_routing) Internet thru Cisco 871 ... SDM wizards and didn't get the internet. ... expected static IP address on the Dialer0 interface but fail ping ... zone security private ... ip http access-class 3 ... (comp.dcom.sys.cisco) Re: Problem configuring NAT to share Internet Connection ... This is the IPCONFIG information of the server (where you can see Internet ... interface, that connects to the DSL modem, LAN interface, that connects to ... > 7.- To connect server to Internet, I create a new network connection. ... (microsoft.public.win2000.ras_routing) Re: Access from internal hosts to internal servers using external address ... I have a Cisco 386 in a NAT configuration. ... Internal hosts can access the Internet in a NAT'ed fashion ... interface Ethernet0 ... (comp.dcom.sys.cisco) Re: T1 lines go mad ... > Can you post the interface configs as well as a show interface for each end? ... Current configuration: 137 bytes ... Internet address is 192.168.245.1/30 ... output buffer failures, ... (comp.dcom.sys.cisco)