From owner-freebsd-questions  Fri Jan  3 16:14: 9 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B62B437B401
	for <freebsd-questions@freebsd.org>; Fri,  3 Jan 2003 16:14:08 -0800 (PST)
Received: from guava.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net [66.214.182.79])
	by mx1.FreeBSD.org (Postfix) with SMTP id F074B43EE6
	for <freebsd-questions@freebsd.org>; Fri,  3 Jan 2003 16:14:02 -0800 (PST)
	(envelope-from lists-freebsd@silverwraith.com)
Received: (qmail 63471 invoked by uid 1001); 4 Jan 2003 00:13:52 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 4 Jan 2003 00:13:52 -0000
Date: Fri, 3 Jan 2003 16:13:52 -0800 (PST)
From: Avleen Vig <lists-freebsd@silverwraith.com>
To: randall ehren <randall@ucsb.edu>
Cc: Avleen Vig <lists-freebsd@silverwraith.com>,
	"freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org>
Subject: Re: incoming bandwidth limiting using ipfilter
In-Reply-To: <Pine.BSF.4.33.0301031533560.78558-100000@isber.ucsb.edu>
Message-ID: <20030103161007.F17456@guava.silverwraith.com>
References: <Pine.BSF.4.33.0301031533560.78558-100000@isber.ucsb.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, 3 Jan 2003, randall ehren wrote:

> not to stray too far, but if IPFW is set to allow all incoming packets and is
> only used for shaping, and you have ipfilter handling nat, then it seems it
> would just be:
>  network card --> IPFW (traffic shape) --> IPF (filter+nat) --> userland
>  i guess an internally NAT address would go back out as:
>   IPF --> IPFW --> network card

We actually found it goes:

Internal Net -> NIC -> IPF+NAT -> IPFW -> World
World -> IPF+NAT -> IPFW -> NIC -> Internal net

After seeing this, I didn't even bother to see what the interal side of
the router processed as. I'm sure it would have given me a headache trying
to set up the runs.

Suffice to say, IPF+NAT always sees the packets first (at least on the
outer side of the router)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message