Date: Sat, 1 Dec 2001 14:54:41 -0800 From: "Crist J . Clark" <cjc@FreeBSD.ORG> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: Nick Rogness <nick@rogness.net>, freebsd-questions@FreeBSD.ORG Subject: Re: Diagrams on natd? Message-ID: <20011201145441.H13613@blossom.cjclark.org> In-Reply-To: <906.1006365980@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Wed, Nov 21, 2001 at 08:06:20PM %2B0200 References: <Pine.BSF.4.21.0111211115400.49168-100000@cody.jharris.com> <906.1006365980@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Nov 21, 2001 at 08:06:20PM +0200, Sheldon Hearn wrote: > > > On Wed, 21 Nov 2001 11:17:26 CST, Nick Rogness wrote: > > > I made an animated gif that steps through the nat process: > > > > http://freebsd.rogness.net/redirect.cgi?basic/nat.html > > Nice idea! > > Thing is, I'm trying to get a better understanding of how natd interacts > with IPFW. There's a LOT more going on than what's shown in your > diagram. The interaction between natd(8) and ipfw(8) is actually very simple. You can think of it this way, 1. ipfw(8) sends a packet that matches a divert(4) rule to natd(8). 2. natd(8) does "something" with the packet. 3. natd(8) writes the packet back to the firewall through the divert(4) mechanism. 4. The packet, which may have been modified in step 2, continues through the ipfw(8) rules. All very straight forward. Of course, that step 2 is a doosie. But step 2 all happens within natd(8) and really has nothing to do with ipfw(8). As for the web page quoted above, it is a pretty good primer, but it gives some bad advice in the last section. The example is how to block incoming traffic on tcp/53. The example is bad for two reasons. First, blocking tcp/53 breaks DNS. Second, you are better off doing this _before_ the divert(4) rule. You are better off _blocking_ packets before the divert(4) rule whenever possible. That is, # ipfw add 40 deny tcp from any to 20.30.40.51 53 in via xl0 Would be the best way to go. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011201145441.H13613>