Date: Mon, 14 Jan 2002 09:40:23 +0100 From: Andreas Klemm <andreas@FreeBSD.ORG> To: "Crist J . Clark" <cjc@FreeBSD.ORG> Cc: freebsd-net@FreeBSD.ORG Subject: Re: FIREWALL_FORWARD vs. using /sbin/natd ? Message-ID: <20020114084023.GB1929@titan.klemm.gtn.com> In-Reply-To: <20020113232541.E24290@blossom.cjclark.org> References: <20020113105636.GA88221@titan.klemm.gtn.com> <20020113232541.E24290@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--BwCQnh7xodEAoBMC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jan 13, 2002 at 11:25:41PM -0800, Crist J . Clark wrote: > On Sun, Jan 13, 2002 at 11:56:36AM +0100, Andreas Klemm wrote: > > I found a document describing a firewall design only using natd > > for redirects to internal network resources. (Hi Marshall, therefore > > Cc: to you, since its yours and I have a question). > >=20 > > http://www.rootprompt.net/freebsd_firewall.html > >=20 > > Based on these informations I think I could get rid of natd entirely. >=20 > Why do you say that? His example uses natd(8). He uses it only on the internal network card to redirect=20 2 application to inside machines. Look in the config ! > > See my previous mail, my problem was, that I can't get it to run > > for a typical 2 NIC configuration with internal network, DMZ and > > a router in front of a 512k leased line. >=20 > You didn't inlcude your firewall rules. I only send it privately. They are, as I told the templates from "simple", I only added ssh ... but this doesn't break the logic. > > Or is this my NAT problem, that additionally I have to use the kernel > > option FIREWALL_FORWARD, >=20 > You don't need it. o.k. > > to get NAT for internal users running, > > 'though all other documents state out, that only IPFIREWALL and > > IPDIVERT are needed ??? >=20 > But it shouldn't cause problems. >=20 > > Therefore the question, is using FIREWALL_FORWARD a good > > replacement for /sbin/natd if you want to give users of > > the internal network access to the outside world ? >=20 > FIREWALL_FORWARD has nothing to do with NAT. >=20 > > Are there some things to take care of, when using FIREWALL_FORWARD ? >=20 > Yes, but nothing to do with NAT. BUT WHAT does FIREWALL_FORWARD actually does ???? What happens if I define it in kernel, stop nat ? Can internal machines communicate to outside then ? What can outside machines do then ? Produces it a whole in the firewall ? Or is it something like NAT staeful ? Andreas /// --=20 Andreas Klemm - Powered by FreeBSD Need a magic printfilter today ? http://www.apsfilter.org/ Songs from our band >> 64Bits << http://www.64bits.de Inofficial band pages with add-on stuff http://www.apsfilter.org/64bits.ht= ml --BwCQnh7xodEAoBMC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE8Qpl2d3o+lGxvbLoRAntbAKC5D2dIiwKTDE1SB/o7jddZdaS9eQCgsLte MHO6ix4+ksKW91txgjUJkXM= =at1W -----END PGP SIGNATURE----- --BwCQnh7xodEAoBMC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020114084023.GB1929>