From owner-freebsd-questions Tue Aug 11 16:21:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA25958 for freebsd-questions-outgoing; Tue, 11 Aug 1998 16:21:35 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from cyclops.xtra.co.nz (cyclops.xtra.co.nz [202.27.184.96]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA25950 for ; Tue, 11 Aug 1998 16:21:31 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker (210-55-210-32.ipnets.xtra.co.nz [210.55.210.32]) by cyclops.xtra.co.nz (8.9.1/8.9.1) with SMTP id LAA17116; Wed, 12 Aug 1998 11:21:02 +1200 (NZST) Message-Id: <199808112321.LAA17116@cyclops.xtra.co.nz> From: "Dan Langille" Organization: DVL Software Limited To: Julian Elischer Date: Wed, 12 Aug 1998 11:21:04 +1200 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: ipfw and natd Reply-to: junkmale@xtra.co.nz CC: FreeBSD Questions References: <199808112247.KAA07516@cyclops.xtra.co.nz> In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG OK. This may explain some problems I'm having. Accoding the to ipfw man pages, the rule: divert natd ip from any to any via ed0 will divert packets that match this rule to the divert(4) socket bound to port natd. The search then terminates. I don't understand what this means and reading the divert man pages doesn't help me. Perhaps this is best covered by another thread. However, reading the divert man pages I find that "it is normally best to specify your divert rules prior to any others". So I'll take that advice. On 11 Aug 98, at 16:02, Julian Elischer wrote: > the difference is what happens to packets after translation.... > > > under 2.2.5 they are restarted after translation at teh beginning of the > filter again, but skipping the translation the second time through. > > under 3.0 they re-enter the filter directly after the translation entry. > (where they left off) > > if the translation entry is at the start, then the two cases are > equivalent.. :-) > > (there is a kernel option in 2.2.7 to make it use the 3.0 semantics) > > julian > > > > On Wed, 12 Aug 1998, Dan Langille wrote: > > > Thanks for the reply. > > > > I take it that it does not make a difference under 2.2.5 or later? If > > it does, what difference? What difference will it make under 3.0? > > > > On 11 Aug 98, at 15:38, Julian Elischer wrote: > > > > > it should be as early as possible.. > > > this will make a difference to the way it works in 3.0 > > > > > > julian > > > > > > > > > On Tue, 11 Aug 1998, Dan Langille wrote: > > > > > > > I'm using ifpw and natd. In order for natd to work, the following > > > > rule must be present somewhere within the ipfw rules. > > > > > > > > divert natd ip from any to any via ed0 > > > > > > > > (or whatever your external nic is if it's not ed0). > > > > > > > > Where should that rule be placed in relationship to other rules? At > > > > the top, at the bottom? > > > > > > > > I used to have it as the last rule (before the deny all rule). But > > > > an example I just found > > > > (http://www.metronet.com/~pgilley/freebsd/ipfw/ben2.html) has this > > > > rule at the top. > > > > > > > > I'm confused. I thought you'd want to disallow stuff before > > > > allowing the natd stuff. Or am I mucked up? -- Dan Langille DVL Software Limited http://www.dvl-software.com/freebsd : my [mis]adventures To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message