Date: Fri, 3 Jan 2003 16:13:52 -0800 (PST) From: Avleen Vig <lists-freebsd@silverwraith.com> To: randall ehren <randall@ucsb.edu> Cc: Avleen Vig <lists-freebsd@silverwraith.com>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: incoming bandwidth limiting using ipfilter Message-ID: <20030103161007.F17456@guava.silverwraith.com> In-Reply-To: <Pine.BSF.4.33.0301031533560.78558-100000@isber.ucsb.edu> References: <Pine.BSF.4.33.0301031533560.78558-100000@isber.ucsb.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 3 Jan 2003, randall ehren wrote: > not to stray too far, but if IPFW is set to allow all incoming packets and is > only used for shaping, and you have ipfilter handling nat, then it seems it > would just be: > network card --> IPFW (traffic shape) --> IPF (filter+nat) --> userland > i guess an internally NAT address would go back out as: > IPF --> IPFW --> network card We actually found it goes: Internal Net -> NIC -> IPF+NAT -> IPFW -> World World -> IPF+NAT -> IPFW -> NIC -> Internal net After seeing this, I didn't even bother to see what the interal side of the router processed as. I'm sure it would have given me a headache trying to set up the runs. Suffice to say, IPF+NAT always sees the packets first (at least on the outer side of the router) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030103161007.F17456>