>>the reply was that keep-state and natd are very hard to use >>together, and besides it is rather useless because natd is stateful >>by itself. >natd is stateful, but provides no protection for inbound IP traffic >that is destined for the filtering host itself.
I have personally looked at natd & stateful ipfw rules, and have concluded that it logically impossible to get it to work. Thus I made a ipfw rulelist that utilizes the statefulness of natd. I hope this helps you in making your own rulelist. tl0 is the interface on internal LAN lnc0 is the interface on external LAN -------------------- #divert all http requests from internal network to quid cache add 00510 fwd 172.30.0.1 tcp from 172.30.0.0/16 to any 80 in via tl0 add 00520 fwd 172.30.0.1 tcp from 172.20.0.0/16 to any 80 in via tl0 add 00530 fwd 172.30.0.1 tcp from 192.168.0.0/24 to any 80 in via tl0 #allow all traffic to/from internal network add 01000 allow all from any to any via tl0 #translate incoming packets (NAT) add 30000 divert natd all from any to <internet IP of machine> in via lnc0 #allow incoming packets for hosts on internal network #(Since we translated them, we're sure they belong to existing #connection) add 30110 allow all from any to 172.20.0.0/16 in via lnc0 add 30111 allow all from any to 172.30.0.0/16 in via lnc0 add 30112 allow all from any to 192.168.0.0/24 in via lnc0 #allow SSH from XXXXXXXX add 30200 allow tcp from <some internet IP> to <internet IP of machine> 22 in via lnc0 add 30210 allow tcp from <internet IP of machine> 22 to <some internet IP> out via lnc0 #allow DNS queries to UUnet DNS servers add 30300 allow udp from <DNS1 IP> 53 to <internet IP of machine> in via lnc0 add 30310 allow udp from <internet IP of machine> to <DNS1 IP> 53 out via lnc0 add 30320 allow udp from <DNS2 IP> 53 to <internet IP of machine> in via lnc0 add 30330 allow udp from <internet IP of machine> to <DNS2 IP> 53 out via lnc0 #allow outgoing traffic from internal hosts #(use skipto 34000 instead of allow because they still need translation) add 31010 skipto 34000 all from 172.20.0.0/16 to any out via lnc0 add 31020 skipto 34000 all from 172.30.0.0/16 to any out via lnc0 add 31030 skipto 34000 all from 192.168.0.0/24 to any out via lnc0 #allow outgoing connections from local machine (using dynamic rules) add 32000 allow all from <internet IP of machine> to any out via lnc0 keep-state #block and log everything that hasn't been allowed so far add 33000 deny log all from any to any -------------------- Greets, Doc To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message