Date: Mon, 5 Jan 1998 22:44:37 -0500 From: Charles Henrich <henrich@crh.cl.msu.edu> To: freebsd-questions@crh.cl.msu.edu Subject: A day in the life of a packet (NATD) ? Message-ID: <19980105224436.05995@crh.cl.msu.edu> Resent-Message-ID: <199801060344.WAA16207@crh.cl.msu.edu>
next in thread | raw e-mail | index | archive | help
Hi Guys, could someone out there who knows the FreeBSD internals write up a
quick "Day in the life of a packet" document for the NATD/IPFW case?
Let me clearly display my ignorance by explaining what I think is going on as
a way of documenting what would be cool to have for inclusion into the FAQ's
on NATD/FreeBSD.
Network:
10.0.0.0/8 --- ([ED1] FreeBSD Box [ED0]) --- The Internet
IPFW Rules (Im creating these in the fly so they could be syntactically
incorrect, but I think the design is correct):
100 allow all from any to any via lo0
200 divert 6668 all from any to any via ed0
300 allow all from THISHOST to any
310 allow all from any to THISHOST
400 allow all from 10.1.0.0/16 to any
500 allow all from 10.0.0.0/8 to INETPROXY
510 allow all from INETPROXY to 10.0.0.0/8
6500 deny all from any to any
Netstat -r:
Destination Gateway Flags Refs Use Netif Expire
default MYINETIP UGSc 31 6956351 ed0
10 link#2 UC 0 0
10.0.0.1 0:0:c0:e1:d0:5c UHLW 0 196 lo0
10.255.255.255 ff:ff:ff:ff:ff:ff UHLWb 0 107 ed1
localhost localhost UH 11 7600 lo0
A user on host 10.0.0.2 issues a ping for INETPROXY. The ping packet is
picked up by interface ed1. The packet is processed by (IPFW first?) which
tools on through the list ipfw rules. This packet is matched by rule 500, and
is then passed onto the (FreeBSD network core?) which decides the packet needs
to be routed through interface ed0 as the default gateway. The packet is
again processed by the IPFW rules as it passes into ed0, this time rule 200
matches the packet.. NATD see's this is a packet destined for the internet
(HOW does it know??) and replaces 10.0.0.2 with MYINETIP. Then the packet is
readback into the firewall code.. The packet then matches ruleset 300 and is
passed back to the FreeBSD network code, which sends it out ed0.
The ping reply is then processed inbound on ed0 by the ipfw rules.. Rule 200
again matches and the packet is sent to Natd which replaces the destination IP
with 10.0.0.2, and sends it back to the firewall code, which allows it to pass
on rule 510.. Then back to the FreeBSD network code, which determines the
packet needs to be sent out interface ed1... Back into the firewall rules,
again the packet is passed through based on rule 510. Back into FreeBSD's
network code which burps the packet out ed1...
So, how much of this is correct, and how much is fantasy made to fit my
perception of reality? :)
-Crh
Charles Henrich Michigan State University henrich@msu.edu
http://pilot.msu.edu/~henrich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980105224436.05995>