Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!cpk-news-hub1.bbnplanet.com!news.bbnplanet.com!rill.news.pipex.net!pipex!tank.news.pipex.net!pipex!news.utell.co.uk!usenet
From: brian@shift.utell.net (Brian Somers)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: IPFW, NAT and IP Masquerading
Date: 9 Apr 1997 11:06:37 GMT
Organization: Awfulhak Ltd.
Lines: 29
Message-ID: <5ift7t$a5t@ui-gate.utell.co.uk>
References: <01bc4435$e938cae0$0c428c8c@zloty.brooks.af.mil>
<334a81ef.604167869@news.us.world.net> <5iem8h$3lp$1@phoenix.kfu.com>
Reply-To: brian@awfulhak.org, brian@utell.co.uk
NNTP-Posting-Host: shift.utell.net
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Newsreader: knews 0.9.8
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.freebsd.misc:38788
In article <5iem8h$3lp$1@phoenix.kfu.com>,
nsayer@quack.kfu.com (Nick Sayer) writes:
> michaele@mxim.com-ANTISPAM- (Michael Enkelis) writes:
>
>>What I now need to ask is if NATD can co-exist with IPFW running
>>real firewall rules, not a "pass all" mode as programmed by NATD?
>
> Sure. Put the natd rules last. You want to do all of the pass/reject
> decisions before you do the address translation.
>
> Note that once a packet matches a divert rule, it will not be
> sent to any subsequent rules. That's another reason to put
> those rules last.
The firewall rules are applied to a packet, and when a divert matches,
the packet is diverted. When natd then re-injects the packet, it's
again subjected to the firewalling rules, but this time all divert
lines are ignored.
You get to firewall the un-masqueraded and the masqueraded packets.
If you want to work with the masqueraded packets only, put the
divert lines at the start.
There's currently no way to avoid firewalling the masqueraded packets.
--
Brian <brian@awfulhak.org> <brian@freebsd.org>
<http://www.awfulhak.demon.co.uk>
Don't _EVER_ lose your sense of humour !