Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 23 Oct 2002 20:16:51 -0400 (EDT)
From:      Andriy Gapon <agapon@excite.com>
To:        freebsd-ipfw@freebsd.org
Subject:   Re: Natd plus statefull connections impossible? (revisited)
Message-ID:  <20021023200139.R79979-100000@edge.foundation.invalid>

Next in thread | Raw E-Mail | Index | Archive | Help

Revisiting this issue, here are 2 ideas that I have encountered:

1. since NAT is a stateful process in its own self, you usually don't want
to have stateful rules for packets that were successfully translated to
destine to your private network. It is easy quite to construct rules that
divert proper packets to natd and allow 'natd recognized' packets
immediately after divert rule(s). You can put other rules (e.g. stateful
rules for gateway itself) after you are done with translated packets. This
has added benefit in the case you use natd redirect_*, since you won't
need to have a special matching ipfw rule for each redirect_* option.

2. or, you can use this quite elegant ruleset utilizing skipto rule
http://www.unixfaq.ru/index.pl?req=qs&id=286
the page is in Russian, but rules are in ipfw-ish :-) and each has a
comment in English.

Decide for yourself, do you trust natd and could use a tiny perfomance
benefit, or you want to be as secure as possible double-checking natd with
ipfw.

-- 
Andriy Gapon
*
"Never try to outstubborn a cat." Lazarus Long, "Time Enough for Love"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20021023200139.R79979-100000>