From owner-freebsd-net  Mon Feb  3 21:41: 1 2003
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2418E37B401
	for <net@FreeBSD.org>; Mon,  3 Feb 2003 21:41:00 -0800 (PST)
Received: from corbulon.video-collage.com (corbulon.video-collage.com [64.35.99.179])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6B84443F43
	for <net@FreeBSD.org>; Mon,  3 Feb 2003 21:40:59 -0800 (PST)
	(envelope-from mi@corbulon.video-collage.com)
Received: from corbulon.video-collage.com (mi@localhost.video-collage.com [127.0.0.1])
	by corbulon.video-collage.com (8.12.7/8.12.7) with ESMTP id h145evM3062765
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
	Tue, 4 Feb 2003 00:40:58 -0500 (EST)
	(envelope-from mi@corbulon.video-collage.com)
Received: (from mi@localhost)
	by corbulon.video-collage.com (8.12.7/8.12.7/Submit) id h145evwa062764;
	Tue, 4 Feb 2003 00:40:57 -0500 (EST)
	(envelope-from mi)
From: Mikhail Teterin <mi@corbulon.video-collage.com>
Message-Id: <200302040540.h145evwa062764@corbulon.video-collage.com>
Subject: Re: Does natd(8) really need to see _all_ packets?
In-Reply-To: <002801c2cc0e$dba94ff0$83ee35ca@Beastie>
To: Barry Irwin <bvi@itouchlabs.com>
Date: Tue, 4 Feb 2003 00:40:56 -0500 (EST)
Cc: net@FreeBSD.org
X-Mailer: ELM [version 2.4ME+ PL100 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII
X-Scanned-By: MIMEDefang 2.21 (www . roaringpenguin . com / mimedefang)
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

> your best solution is to add a skipto before the divert rule.

Thank you, Barry, but is not that what I'm doing in the sample?
 
> You can therefore skip any traffic from a private address to another
> private address. Anything not matched by the skipto rule gets fed to
> the divert socket.

The trick was to figure out, what could be skipped, and what could not.
I'm wondering, if I got that right -- it seems to work find, but does it
leave something open? Before I can recommend it to others, I'd like to
be more sure :-)

	-mi
 
> ----- Original Message -----
> From: "Mikhail Teterin" <mi+kde@aldan.algebra.com>
> To: <net@FreeBSD.org>
> Sent: Tuesday, February 04, 2003 7:27 AM
> Subject: Does natd(8) really need to see _all_ packets?
> 
> 
> > Hi!
> >
> > This question bothered me for a while -- most of the traffic on my
> > LAN is just that -- local. Yet my gw/firewall machine only has one
> > interface -- with two IP addresses -- private and public on it.
> >
> > The DSL modem is plugged into the switch just like everything else.
> >
> > I doubt this is a unique setup.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message