I disagree with you that the /etc/rc.firewall is the best example. It's really a good example of stateless rules, & how to use scripting Symbolic substitution.
I have working keep-state rule set using user-ppp -nat, but as soon as I add that darn legacy divert rule and drop user-ppp -nat it will not work. Dynamic stateful rules table always ends up with an mis-match between public and private ip address. Moving the divert rule around only changes which ip address gets posted to the stateful table(ie: the private or public one). Test results look like that legacy divert subroutine call to NATD is the problem. See same mis-match ip address problem when stateless rules are used, but since there is no stateful table involved it just slips by un-noticed. Was hoping that the ipfw2 rewrite would have fixed this problem. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Thomas T. Veldhouse Sent: Monday, January 19, 2004 1:41 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] ORG Subject: Re: ipfw/nated stateful rules example fbsd_user wrote: > Friends > In both 4.9 and 5.2 I can not get an rules set to function that only > uses keep-state' rules for outbound and inbound selection control > and the divert rule. > > Does anybody have an rules set they can share with me as an sample > for me to see. > > Thanks > The best sample is /etc/rc.firewall [and look in /usr/share/examples/ipfw for a potentially useful script to use while testing]. I have moved over to IPFILTER due to the fact that natd is userland based and is more problematic [than ipnat] because of it. Tom Veldhouse _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
