From owner-freebsd-security  Tue Jul 10 19:36:50 2001
Delivered-To: freebsd-security@freebsd.org
Received: from stuart.microshaft.org (ns1.microshaft.org [208.201.249.2])
	by hub.freebsd.org (Postfix) with ESMTP id 2323137B40B
	for <freebsd-security@FreeBSD.ORG>; Tue, 10 Jul 2001 19:36:47 -0700 (PDT)
	(envelope-from jono@stuart.microshaft.org)
Received: (from jono@localhost)
	by stuart.microshaft.org (8.9.3/8.9.3) id TAA09730;
	Tue, 10 Jul 2001 19:36:45 -0700 (PDT)
	(envelope-from jono)
Date: Tue, 10 Jul 2001 19:36:45 -0700
From: "Jon O ." <jono@microshaft.org>
To: Francisco Reyes <lists@natserv.com>
Cc: FreeBSD Security List <freebsd-security@FreeBSD.ORG>
Subject: Re: Fixed Cant ping/nslookup. Natd rule not on top
Message-ID: <20010710193644.A9624@networkcommand.com>
Reply-To: "jono@networkcommand.com" <jono@microshaft.org>
References: <20010710211158.Q12950-100000@x1-6-00-50-ba-de-36-33.kico1.on.home.com> <20010710222632.H511-100000@zoraida.natserv.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <20010710222632.H511-100000@zoraida.natserv.net>; from lists@natserv.com on Tue, Jul 10, 2001 at 10:30:07PM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


Francisco:

The divert rule should be placed in your ruleset as needed and can't be defined as "always on top."

For example, I connect to a Firewall-1/VPN-1 server using my FreeBSD gateway. In this case I don't want the divert rule applied to packets going to VPN machines because I want to come from the real inside network address, not a NAT'ed hide address. So, it can cause problems because you are allowing the packet through the firewall, but then don't notice what the divert rule is doing to it -- I've done it and I'm sure many other people have also. Once you figure it out, you'll always remember to look at the divert rule too.

Even this probably isn't the best way to do things and I should be using some other design...;)


Thanks,
Jon

On 10-Jul-2001, Francisco Reyes wrote:
> After a week of going crazy I found why I could not ping/nslookup from
> internal machines. It had to do with the placement of the natd/divert
> rule.
> 
> Isn't this rule supposed to be all the way on the top of the ruleset?
> I started my firewall on this machine from a template rc.firewall and it
> had the natd almost in the middle of the ruleset. After I moved it to the
> top now all works as expected.
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message