Date: Sun, 8 Sep 2002 09:39:58 -0700 (PDT) From: Paulo Roberto <nirv199@yahoo.com> To: freebsd-questions@freebsd.org Subject: simple questions about ipfw + natd rules Message-ID: <20020908163958.35715.qmail@web14912.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
Hello, I am having some trouble trying to picture the ipfw+natd algorithm to implement my firewall rules. When I divert some packets to natd, natd then masqs them and resend them to the firewall rule number one, right? It does not get to the rule after the packet was diverted? So, in the same example, if I add a dynamic rule like "from me to any keep-state", this rule will apply to this packet after it was masqed, and when the response gets back it is accepted by a "check-state" rule, and then the "process owner" of this packet is *natd* and not the original address, right? So the same packet is delivered to natd, and then natd de-masqs it and _again_ put it thru the firewall rule number one (and so on...)? So, in one packet going out or in, it gets processed *two* times by all firewall rules (of course, first match wins...), is this correct? I am just concerned about the processing time of each packet and its delay time in a busy link. TIA PR __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020908163958.35715.qmail>