From owner-freebsd-ipfw Wed Oct 23 17:19:42 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D6E637B401 for ; Wed, 23 Oct 2002 17:19:39 -0700 (PDT) Received: from mta10.srv.hcvlny.cv.net (mta10.srv.hcvlny.cv.net [167.206.5.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD84943E6E for ; Wed, 23 Oct 2002 17:19:38 -0700 (PDT) (envelope-from agapon@excite.com) Received: from edge.foundation.invalid (ool-182f90f3.dyn.optonline.net [24.47.144.243]) by mta10.srv.hcvlny.cv.net (iPlanet Messaging Server 5.2 HotFix 0.9 (built Jul 29 2002)) with ESMTP id <0H4G00GNIM4TBF@mta10.srv.hcvlny.cv.net> for freebsd-ipfw@freebsd.org; Wed, 23 Oct 2002 20:17:17 -0400 (EDT) Received: from localhost (localhost.foundation.invalid [127.0.0.1]) by edge.foundation.invalid (8.12.6/8.12.3) with ESMTP id g9O0Gppg080241 for ; Wed, 23 Oct 2002 20:16:52 -0400 (EDT envelope-from agapon@excite.com) Date: Wed, 23 Oct 2002 20:16:51 -0400 (EDT) From: Andriy Gapon Subject: Re: Natd plus statefull connections impossible? (revisited) X-X-Sender: avg@edge.foundation.invalid To: freebsd-ipfw@freebsd.org Message-id: <20021023200139.R79979-100000@edge.foundation.invalid> MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Content-transfer-encoding: 7BIT Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Revisiting this issue, here are 2 ideas that I have encountered: 1. since NAT is a stateful process in its own self, you usually don't want to have stateful rules for packets that were successfully translated to destine to your private network. It is easy quite to construct rules that divert proper packets to natd and allow 'natd recognized' packets immediately after divert rule(s). You can put other rules (e.g. stateful rules for gateway itself) after you are done with translated packets. This has added benefit in the case you use natd redirect_*, since you won't need to have a special matching ipfw rule for each redirect_* option. 2. or, you can use this quite elegant ruleset utilizing skipto rule http://www.unixfaq.ru/index.pl?req=qs&id=286 the page is in Russian, but rules are in ipfw-ish :-) and each has a comment in English. Decide for yourself, do you trust natd and could use a tiny perfomance benefit, or you want to be as secure as possible double-checking natd with ipfw. -- Andriy Gapon * "Never try to outstubborn a cat." Lazarus Long, "Time Enough for Love" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message