View Full Version : ipfw natd and keep-state

01-23-2009, 07:27 AM

I have 2 computers (let's call them host and guest) and I'm trying to use ipfw and natd to allow guest to see all the net and host to only be able to ssh out.

I tried the following:

g0 = 'guest interface'
h0 = 'host interface connected to ISP'

00300 check-state
00400 skipto 1000 ip from any to any via g0 keep-state
00600 allow ip from any to any dst-port 22 via h0 keep-state
00700 deny ip from any to any via h0
01000 divert 8668 ip from any to any via h0
65535 allow ip from any to any

unfartunately it seems that after getting nat'd the packets originally from g0 no longer maintain state and get caught in 700. anyone have any ideas if this can be done and how?

Many thanks,


01-23-2009, 10:35 AM
it seems to me also that the natd man page is not saying what I think natd is doing, I quote:

"After translation by natd, packets re-enter the firewall at the rule number following the rule number that caused the diversion (not the next rule if there are several at the same number)." am i doing something wrong ...