Date: Sat, 1 Dec 2001 18:23:21 -0600 (CST) From: Nick Rogness <nick@rogness.net> To: "Crist J . Clark" <cjc@FreeBSD.ORG> Cc: Sheldon Hearn <sheldonh@starjuice.net>, freebsd-questions@FreeBSD.ORG Subject: Re: Diagrams on natd? Message-ID: <Pine.BSF.4.21.0112011816310.48587-100000@cody.jharris.com> In-Reply-To: <20011201145441.H13613@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 1 Dec 2001, Crist J . Clark wrote: > On Wed, Nov 21, 2001 at 08:06:20PM +0200, Sheldon Hearn wrote: > > > > > > On Wed, 21 Nov 2001 11:17:26 CST, Nick Rogness wrote: > > > > > I made an animated gif that steps through the nat process: > > > > > > http://freebsd.rogness.net/redirect.cgi?basic/nat.html > > > > As for the web page quoted above, it is a pretty good primer, but it > gives some bad advice in the last section. The example is how to block > incoming traffic on tcp/53. The example is bad for two reasons. First, > blocking tcp/53 breaks DNS. Only zone transfers. Which is what the example was intended to do. > Second, you are better off doing this > _before_ the divert(4) rule. You are better off _blocking_ packets > before the divert(4) rule whenever possible. That is, > > # ipfw add 40 deny tcp from any to 20.30.40.51 53 in via xl0 I agree, however,that is OK if you know what your public IP is. In a natd-dynamic configuration. This was written just prior to the release of the "me" flag in ipfw (I Believe). Nick Rogness <nick@rogness.net> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0112011816310.48587-100000>