From owner-freebsd-questions  Tue Oct 20 12:53:00 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA25306
          for freebsd-questions-outgoing; Tue, 20 Oct 1998 12:53:00 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from cyclops.xtra.co.nz (cyclops.xtra.co.nz [202.27.184.96])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA25300
          for <freebsd-questions@FreeBSD.ORG>; Tue, 20 Oct 1998 12:52:55 -0700 (PDT)
          (envelope-from junkmale@pop3.xtra.co.nz)
Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87])
	by cyclops.xtra.co.nz (8.9.1/8.9.1) with SMTP id IAA17502;
	Wed, 21 Oct 1998 08:48:46 +1300 (NZDT)
Message-Id: <199810201948.IAA17502@cyclops.xtra.co.nz>
From: "Dan Langille" <junkmale@xtra.co.nz>
Organization: DVL Software Limited
To: Dan Busarow <dan@dpcsys.com>, Matt Prigge <prigge@bucknell.edu>,
        FreeBSD Questions List <freebsd-questions@FreeBSD.ORG>
Date: Wed, 21 Oct 1998 08:48:45 +1300
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: More IPFW/natd trouble, but I'm close!
Reply-to: junkmale@xtra.co.nz
CC: Matt Prigge <prigge@bucknell.edu>,
        FreeBSD Questions List <freebsd-questions@FreeBSD.ORG>
References: <199810200934.WAA15675@witch.xtra.co.nz>
In-reply-to: <Pine.BSF.3.96.981020100014.3227H-100000@java.dpcsys.com>
X-mailer: Pegasus Mail for Win32 (v3.01b)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On 20 Oct 98, at 10:03, Dan Busarow wrote:

> On Tue, 20 Oct 1998, Dan Langille wrote:
> > If I read this correctly, we have two conflicting views.  One says do
> > the divert early.  The other says do the divert late.
> 
> Not sure where you are seeing a divert late view.  From the natd
> man page (and Matt's post)
> 
>     /sbin/ipfw -f flush
>     /sbin/ipfw add divert natd all from any to any via ed0
>     /sbin/ipfw add pass all from any to any
>   The second line depends on your interface (change ed0 as appropri-
>   ate) and assumes that you've updated /etc/services with the natd en- try
>   as above.  If you specify real firewall rules, it's best to
>      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   specify line 2 at the start of the script so that natd sees all
>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>   packets before they are dropped by the firewall.  The firewall rules
>   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ will be run again on
>   each packet after translation by natd, minus any divert rules.

Yes, thanks. I was sure I saw some suggesting the alternative.  And I saw 
the same recommendation within The Complete FreeBSD.  Cheers.

--
Dan Langille
DVL Software Limited
The FreeBSD Diary - my [mis]adventures
http://www.FreeBSDDiary.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message