From owner-freebsd-questions  Tue Oct 20 02:41:15 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA26448
          for freebsd-questions-outgoing; Tue, 20 Oct 1998 02:41:15 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from cyclops.xtra.co.nz (cyclops.xtra.co.nz [202.27.184.96])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA26442
          for <freebsd-questions@FreeBSD.ORG>; Tue, 20 Oct 1998 02:41:13 -0700 (PDT)
          (envelope-from junkmale@pop3.xtra.co.nz)
Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87])
	by cyclops.xtra.co.nz (8.9.1/8.9.1) with SMTP id WAA21150
	for <freebsd-questions@FreeBSD.ORG>; Tue, 20 Oct 1998 22:40:45 +1300 (NZDT)
Message-Id: <199810200940.WAA21150@cyclops.xtra.co.nz>
From: "Dan Langille" <junkmale@xtra.co.nz>
Organization: DVL Software Limited
To: FreeBSD Questions List <freebsd-questions@FreeBSD.ORG>
Date: Tue, 20 Oct 1998 22:40:50 +1300
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: ipfw: divert natd - early or late?
Reply-to: junkmale@xtra.co.nz
X-mailer: Pegasus Mail for Win32 (v3.01b)
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I run ipfw on my subnet.  I also run natd as I have one nic for the subnet 
and another for my ISP.  I've seen two conflicting recommendations lately 
regarding the placement of the divert statement.  

In fact, rc.firewall for version 2.2.7 comes with natd divert support 
built in (see below).  And it places the divert very high up.

I'd like to know more.  Especially consider the fact that I'm having 
trouble with the following rule when using the simple model:

#$fwcmd add deny all from any to 192.168.0.0:255.255.0.0 via ${oif}

Direction from the gurus would be appreciated.  Cheers.


extra from rc.firewall:                                                    

############
# Flush out the list before we begin.                                 
$fwcmd -f flush 
            
############                                          
# These rules are required for using natd.  All packets are passed to natd 
befor
# they encounter your remaining rules.  The firewall rules will then be 
run agai
# on each packet after translation by natd, minus any divert rules (see 
natd(8))
if [ "X${natd_enable}" = X"YES" -a "X${natd_interface}" != X"" ]; then
        $fwcmd add divert natd all from any to any via ${natd_interface}
fi    


--
Dan Langille
DVL Software Limited
The FreeBSD Diary - my [mis]adventures
http://www.FreeBSDDiary.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message