From owner-freebsd-questions  Sun Sep  8  9:40: 5 2002
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EC8FE37B400
	for <freebsd-questions@freebsd.org>; Sun,  8 Sep 2002 09:39:58 -0700 (PDT)
Received: from web14912.mail.yahoo.com (web14912.mail.yahoo.com [216.136.225.248])
	by mx1.FreeBSD.org (Postfix) with SMTP id 93E2D43E42
	for <freebsd-questions@freebsd.org>; Sun,  8 Sep 2002 09:39:58 -0700 (PDT)
	(envelope-from nirv199@yahoo.com)
Message-ID: <20020908163958.35715.qmail@web14912.mail.yahoo.com>
Received: from [200.163.193.132] by web14912.mail.yahoo.com via HTTP; Sun, 08 Sep 2002 09:39:58 PDT
Date: Sun, 8 Sep 2002 09:39:58 -0700 (PDT)
From: Paulo Roberto <nirv199@yahoo.com>
Subject: simple questions about ipfw + natd rules
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello,

I am having some trouble trying to picture the ipfw+natd algorithm to
implement my firewall rules.

When I divert some packets to natd, natd then masqs them and resend
them to the firewall rule number one, right? It does not get to the
rule after the packet was diverted?

So, in the same example, if I add a dynamic rule like "from me to any
keep-state", this rule will apply to this packet after it was masqed,
and when the response gets back it is accepted by a "check-state" rule,
and then the "process owner" of this packet is *natd* and not the
original address, right?

So the same packet is delivered to natd, and then natd de-masqs it and
_again_ put it thru the firewall rule number one (and so on...)?

So, in one packet going out or in, it gets processed *two* times by all
firewall rules (of course, first match wins...), is this correct? 

I am just concerned about the processing time of each packet and its
delay time in a busy link.

TIA

PR

__________________________________________________
Do You Yahoo!?
Yahoo! Finance - Get real-time stock quotes
http://finance.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message