Date: Sat, 1 Dec 2001 18:54:37 -0600 (CST) From: Nick Rogness <nick@rogness.net> To: cjclark@alum.mit.edu Cc: Sheldon Hearn <sheldonh@starjuice.net>, freebsd-questions@FreeBSD.ORG Subject: Re: Diagrams on natd? Message-ID: <Pine.BSF.4.21.0112011847420.48587-100000@cody.jharris.com> In-Reply-To: <20011201164155.L13613@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 1 Dec 2001, Crist J . Clark wrote: > On Sat, Dec 01, 2001 at 06:23:21PM -0600, Nick Rogness wrote: > > On Sat, 1 Dec 2001, Crist J . Clark wrote: > > [SNIP] > This is a common misconception. Blocking 53/tcp breaks queries too, > but you don't see the problems it creates too frequently. Someone once mentioned that to me but I have never seen this behavior or read it anywhere (Oreilly,rev3). Maybe you could explain. > > > > Second, you are better off doing this > > > _before_ the divert(4) rule. You are better off _blocking_ packets > > > before the divert(4) rule whenever possible. That is, > > > > > > # ipfw add 40 deny tcp from any to 20.30.40.51 53 in via xl0 > > > > I agree, however,that is OK if you know what your public IP > > is. In a natd-dynamic configuration. This was written just prior > > to the release of the "me" flag in ipfw (I Believe). > > OK, > > # ipfw add 40 deny tcp from any to any 53 in via xl0 > > Is fine too. > -- Yeh, It's been such a while, I'll have to make changes. What's on that site is not exactly the way things should be done anymore. Nick Rogness <nick@rogness.net> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0112011847420.48587-100000>