Date: Sun, 09 Jul 2000 21:16:17 -0400 (EDT) From: Colin <cwass99@home.com> To: freebsd-stable@FreeBSD.ORG Subject: natd inconsistencies Message-ID: <XFMail.000709211617.cwass99@home.com>
next in thread | raw e-mail | index | archive | help
I've just finished setting up FreeBSD 4.0R with ipfw and natd and I've noticed
either a discrepency between the actual functionality and the man page or a
misunderstanding on my part.
The man page recommends putting the divert rule as close to the beginning
of the rule set as possible, and the default rule sets seem consistent
with this. I noticed, though, that if I didn't put the rule "deny ip from
192.168.0.0/24 to any in recv ed1" before the divert rule nothing from my
internal network (which just happens to be 192.168.0.0/24) would get through. I
assume the prevent-spoofing rules for private networks rules would have the sam
e issue depending on the internal network used. I also noticed several other
default rules caused some problems.
My first thought was that when natd rebuilt the header with the internal
network addresses, it still showed as a packet arriving from the external
network (which is why I moved the rule). Then I realized that shouldn't matter,
as the source address should have been the external host that sent the packet,
which could clearly not be in the 192,168.0.0/24 network (unless there are some
serious router issues out there ;) I honestly have no clue why this would be
the case.
I'm working on a new rule set that seems both secure and reasonable for my
type of situation which I assume will become ever more common. A private
network running through a firewall and natd via [cable modem|*dsl] to the
internet. The simple ruleset was completely unuseable (I couldn't connect
doodle to squirt from the internal network) and the open approach was just
silly. I'll post it here for comment in a day or two.
In the interim, any comments on why natd and ipfw don't work the intuitive
way would be appreciated.
Cheers,
Colin
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.000709211617.cwass99>