Date: Sun, 8 Sep 2002 09:53:55 -0700 (PDT) From: Paulo Roberto <nirv199@yahoo.com> To: Paulo Roberto <nirv199@yahoo.com>, freebsd-questions@freebsd.org Subject: Re: simple questions about ipfw + natd rules Message-ID: <20020908165355.42165.qmail@web14912.mail.yahoo.com> In-Reply-To: <20020908163958.35715.qmail@web14912.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I forgot to ask one more question: is there a way to "keep-state" of a packet before it gets masqed? if i make the following rule: ipfw add 123 divert natd all from some_local_host to some_remote via ed1 keep-state It will get the packet state before it gets masqed? So when a packet of the same connection gets back, it will be accepted by a "check-state" rule? So when it is accepted, it will get back to the owner (natd process) and the it will get back to the first firewall rule? So then I need to add a rule like "pass all from some_remote to some_local_host"? Or that first "keep-state" rule will take care of it? TIA --- Paulo Roberto <nirv199@yahoo.com> wrote: > Hello, > > I am having some trouble trying to picture the ipfw+natd algorithm to > implement my firewall rules. > > When I divert some packets to natd, natd then masqs them and resend > them to the firewall rule number one, right? It does not get to the > rule after the packet was diverted? > > So, in the same example, if I add a dynamic rule like "from me to any > keep-state", this rule will apply to this packet after it was masqed, > and when the response gets back it is accepted by a "check-state" > rule, > and then the "process owner" of this packet is *natd* and not the > original address, right? > > So the same packet is delivered to natd, and then natd de-masqs it > and > _again_ put it thru the firewall rule number one (and so on...)? > > So, in one packet going out or in, it gets processed *two* times by > all > firewall rules (of course, first match wins...), is this correct? > > I am just concerned about the processing time of each packet and its > delay time in a busy link. > > TIA > > PR > > __________________________________________________ > Do You Yahoo!? > Yahoo! Finance - Get real-time stock quotes > http://finance.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020908165355.42165.qmail>