Date: Sat, 28 Jul 2001 09:14:06 -0500 From: "Richard Seaman, Jr." <dick@seaman.org> To: hackers@freebsd.org Subject: Re: natd passes inconsistent addresses to ipfw? Message-ID: <20010728091406.C1119@seaman.org>
next in thread | raw e-mail | index | archive | help
--nFreZHaLTZJo0R7j Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Whoops. Meant to cc this to the list too. -- Richard Seaman, Jr. email: dick@seaman.org 5182 N. Maple Lane phone: 262-367-5450 Nashotah WI 53058 fax: 262-367-5852 --nFreZHaLTZJo0R7j Content-Type: message/rfc822 Content-Disposition: inline Date: Sat, 28 Jul 2001 09:09:33 -0500 From: "Richard Seaman, Jr." <dick@seaman.org> To: mikescott@clara.net Subject: Re: natd passes inconsistent addresses to ipfw? Message-ID: <20010728090933.B1119@seaman.org> References: <3B61EFDD.ABD61EC3@newsguy.com> <3B62ADB5.17372.60982A6@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3B62ADB5.17372.60982A6@localhost>; from mikescott@clara.net on Sat, Jul 28, 2001 at 12:19:01PM +0100 On Sat, Jul 28, 2001 at 12:19:01PM +0100, mikescott@clara.net wrote: > I'm worried about the logic of the problem -- it seems to me that > there's no way that nat and the dynamic rules can work together > correctly, given that both incoming and outgoing packets start at > the top and work down the same list of rules. Tthe keep-state and > check-state surely have to be on the same side of the nat, > because they have to work together *either* on local *or* external > addresses, not a mixture. But if they're after the nat (as for all > written examples I've seen), then for incoming packets they operate > on local addresses, and for outgoing on external addresses, which > is not what's wanted. If they're before the nat, we never reach the > nat. > > Am I totally at sea here with my understanding of what's going on? > Does anyone on the list have a working example which they could > offer, please, and set my mind at rest? I haven't looked at your specific ruleset, but I too concluded it wasn't possible to get dynamic rules (keep-state) working properly with nat. But, I also managed to convince myself that the nat engine itself is, in effect, a dynamic ruleset, so I decided I didn't care about dynamic rules with nat. This was a while ago, and I don't remember my analysis all that well. If you come to a different conclusion after looking at how the nat engine works, let me know and I'll try to reconstruct my logic. -- Richard Seaman, Jr. email: dick@seaman.org 5182 N. Maple Lane phone: 262-367-5450 Nashotah WI 53058 fax: 262-367-5852 --nFreZHaLTZJo0R7j-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010728091406.C1119>