Date: Tue, 3 Jun 2003 10:36:20 -0400 (EDT) From: Matthew George <mdg@secureworks.net> To: Paulo Roberto <nirv199@yahoo.com> Cc: freebsd-security@freebsd.org Subject: Re: Packet flow through IPFW+IPF+IPNAT ? Message-ID: <20030603103402.A40213@localhost> In-Reply-To: <20030602232710.20360.qmail@web14908.mail.yahoo.com> References: <20030602232710.20360.qmail@web14908.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2 Jun 2003, Paulo Roberto wrote: > --- Fernando Gleiser <fgleiser@cactus.fi.uba.ar> wrote: > > On Mon, 2 Jun 2003, Vlad GALU wrote: > > Or, in other words, IPF always 'sees' the real IPs, not the NATed > > ones. > > Is it also true for IPFW? Does the rules apply always to the real > addresses instead of the natted ones? So why does the "divert natd" > rule must be the first rule in ipfw? (in rc.firewall it is rule 00050). > Is the packet reinserted on the queue, or it just wait a "pass" rule so > it can be put on rule #00050 and go on? > > TIA > > Paulo Roberto > It depends on where the divert rule is. If it's the first rule, then yes. You can do pre-nat filtering by placing rules before the divert if you want. I typically do all my RFC1918 et al. filtering on my external interfaces pre-nat. -- Matthew George SecureWorks Technical Operations
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030603103402.A40213>