Date: Tue, 11 Aug 1998 18:41:03 -0700 (PDT) From: Julian Elischer <julian@whistle.com> To: Dan Langille <junkmale@xtra.co.nz> Cc: FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: ipfw and natd Message-ID: <Pine.BSF.3.95.980811183751.29333A-100000@current1.whistle.com> In-Reply-To: <199808112321.LAA17116@cyclops.xtra.co.nz>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 12 Aug 1998, Dan Langille wrote: > OK. This may explain some problems I'm having. > > Accoding the to ipfw man pages, the rule: > > divert natd ip from any to any via ed0 > > will divert packets that match this rule to the divert(4) socket bound to > port natd. The search then terminates. I don't understand what this means > and reading the divert man pages doesn't help me. Perhaps this is best > covered by another thread. THIS pass terminates, but the natd then re-injects the packet into th IP stack after it's been translated, and the whole process starts from scratch (in 2.2.5) or from it's 'save'd position' (in 3.0) in 2.2.5 what it saved was the port that it was diverted to last time so it won't divert there again. Stops loops but it doesn't work for the case where there are 2 diversions.. in 3.0 it saves the rule# that caused the last diversion, and restarts the search after translation at the next rule# after that number. > > However, reading the divert man pages I find that "it is normally best to > specify your divert rules prior to any others". So I'll take that advice. > > On 11 Aug 98, at 16:02, Julian Elischer wrote: > > > the difference is what happens to packets after translation.... > > > > > > under 2.2.5 they are restarted after translation at teh beginning of the > > filter again, but skipping the translation the second time through. > > > > under 3.0 they re-enter the filter directly after the translation entry. > > (where they left off) > > > > if the translation entry is at the start, then the two cases are > > equivalent.. :-) > > > > (there is a kernel option in 2.2.7 to make it use the 3.0 semantics) > > > > julian > > > > > > > > On Wed, 12 Aug 1998, Dan Langille wrote: > > > > > Thanks for the reply. > > > > > > I take it that it does not make a difference under 2.2.5 or later? If > > > it does, what difference? What difference will it make under 3.0? > > > > > > On 11 Aug 98, at 15:38, Julian Elischer wrote: > > > > > > > it should be as early as possible.. > > > > this will make a difference to the way it works in 3.0 > > > > > > > > julian > > > > > > > > > > > > On Tue, 11 Aug 1998, Dan Langille wrote: > > > > > > > > > I'm using ifpw and natd. In order for natd to work, the following > > > > > rule must be present somewhere within the ipfw rules. > > > > > > > > > > divert natd ip from any to any via ed0 > > > > > > > > > > (or whatever your external nic is if it's not ed0). > > > > > > > > > > Where should that rule be placed in relationship to other rules? At > > > > > the top, at the bottom? > > > > > > > > > > I used to have it as the last rule (before the deny all rule). But > > > > > an example I just found > > > > > (http://www.metronet.com/~pgilley/freebsd/ipfw/ben2.html) has this > > > > > rule at the top. > > > > > > > > > > I'm confused. I thought you'd want to disallow stuff before > > > > > allowing the natd stuff. Or am I mucked up? > > > -- > Dan Langille > DVL Software Limited > http://www.dvl-software.com/freebsd : my [mis]adventures > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980811183751.29333A-100000>