Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 10 Jul 2001 23:05:15 -0700
From:      "Jon O ." <jono@microshaft.org>
To:        Francisco Reyes <lists@natserv.com>
Cc:        "Jon O ." <jono@microshaft.org>, FreeBSD Security List <freebsd-security@FreeBSD.ORG>
Subject:   Re: Fixed Cant ping/nslookup. Natd rule not on top
Message-ID:  <20010710230515.B9747@networkcommand.com>
In-Reply-To: <20010711013121.L1479-100000@zoraida.natserv.net>; from lists@natserv.com on Wed, Jul 11, 2001 at 01:37:35AM -0400
References:  <20010710193644.A9624@networkcommand.com> <20010711013121.L1479-100000@zoraida.natserv.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 11-Jul-2001, Francisco Reyes wrote:
> On Tue, 10 Jul 2001, Jon O . wrote:
> > Francisco:
> >
> > The divert rule should be placed in your ruleset as needed and can't be defined as "always on top."
> >
> Any recommendations where I could read more on NAT?
> The natd man page is a good start, but I was thinking more along the
> lines of a tutorial or examples.

Not that I can think of off the top of my head. You can always do like I do and run it -v so you see every packet. Might not be feasible on a high traffic link.


> 
> Does NATD let the packets continue through IPFW after it changes the
> source address?

You can do this type of thing with dummynet(4) packets, but I don't think the same applies to ipfw allow/deny rules.

  net.inet.ip.fw.one_pass: 1
             When set, the packet exiting from the dummynet(4) pipe is not
             passed though the firewall again.  Otherwise, after a pipe
             action, the packet is reinjected into the firewall at the next
             rule.

However, this might really be the best way to do things. I use ACLs on Cisco routers quite a bit and also Firewall-1. Neither of these allow a packet to match a NAT rule and then a Firewall rule by dropping the packet back through the rules. With dummy net it's because you want to still firewall the rate-limited packets. 

Like I said, someone else might provide another suggestion that is more like you are suggesting, but for me I just want the packet to match once otherwise I'd get really confused (more than normal). 


Thanks,
Jon 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010710230515.B9747>