Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 Jul 2000 19:26:36 -0400 (EDT)
From:      Colin <cwass99@home.com>
To:        Doug White <dwhite@resnet.uoregon.edu>
Cc:        freebsd-stable@FreeBSD.ORG
Subject:   Re: natd inconsistencies
Message-ID:  <XFMail.000710192636.cwass99@home.com>
In-Reply-To: <Pine.BSF.4.21.0007101020421.23759-100000@resnet.uoregon.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 

On 10-Jul-00 Doug White wrote:
> On Sun, 9 Jul 2000, Colin wrote:
> 
>>      The man page recommends putting the divert rule as close to the
>>      beginning
>> of the rule set as possible, and the default rule sets seem consistent
>> with this.  I noticed, though, that if I didn't put the rule "deny ip from
>> 192.168.0.0/24 to any in recv ed1" before the divert rule nothing from my
>> internal network (which just happens to be 192.168.0.0/24) would get
>> through. I
>> assume the prevent-spoofing rules for private networks rules would have the
>> sam
> 
> This rule would block traffic destined for your own network -- you
> antispoofed yourself!  :)  It *MUST* be before translation takes place,
> and also make sure ed1 is the external interface.
> 
> The 'log' option and 'ipfw show' are handy for firewall debugging.
> 
     I found this rule was the problem using ipfw show (a very useful command
when you're building a ruleset to see what is blocking you) which is why I
moved it.  My concern is that it shouldn't block packets from an external
source (eg www.FreeBSD.org ;) to 192.168.0.0/24.  It should only block packets
from that network incoming on the external interface.  I understood natd would
alter the dest addr on the inbound packet if it was in the table but not touch
the source addr.  Is this not the case?  Or am I missing something obvious in
the operation?

Cheers,
Colin



> Doug White                    |  FreeBSD: The Power to Serve
> dwhite@resnet.uoregon.edu     |  www.FreeBSD.org
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.000710192636.cwass99>