Date: Fri, 15 Feb 2002 09:39:37 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: "Earl A. Killian" <earl@killian.com> Cc: Chris Dillon <cdillon@wolves.k12.mo.us>, "Rogier R. Mulhuijzen" <drwilco@drwilco.net>, Luigi Rizzo <rizzo@icir.org>, freebsd-ipfw@FreeBSD.ORG, freebsd-net@FreeBSD.ORG Subject: Re: Bug in stateful code? Message-ID: <3C6D47D9.10003@tenebras.com> References: <5.1.0.14.0.20020214221354.01c37da0@mail.drwilco.net> <Pine.BSF.4.32.0202151003240.92211-100000@mail.wolves.k12.mo.us> <15469.17124.999950.13271@sax.killian.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Earl A. Killian wrote: > Chris Dillon writes: > > Date: Fri, 15 Feb 2002 10:20:39 -0600 (CST) > > From: Chris Dillon <cdillon@wolves.k12.mo.us> > > > > If you have the luxury of having more than one IP address available > > for the outside interface, you can dedicate one address to natd's use, > > and the other to the host machine. Use -deny_incoming on natd, and > > use whatever rules you want, including stateful, on the non-NAT > > address. This is what I've done and it works fine. > > This sounds promising, but I am confused by the man page on > -deny_incoming. Perhaps you could clarify? It says, "Do not pass > incoming packets that have no entry in the internal translation > table." Which internal translation table do they mean? If this is > the translation table set up when an internal host packet is forwarded > to the internet, I don't see how a connection ever gets established. > Does "internal translation table" mean something else? It's a 'natd' option, which says not to pass incoming packets (from the nat'd interface, presumably the external interface) which aren't part of established "connections" -- the internal translation table is internal to natd. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3C6D47D9.10003>