Date: Wed, 23 Oct 2002 20:16:51 -0400 (EDT) From: Andriy Gapon <agapon@excite.com> To: freebsd-ipfw@freebsd.org Subject: Re: Natd plus statefull connections impossible? (revisited) Message-ID: <20021023200139.R79979-100000@edge.foundation.invalid>
next in thread | raw e-mail | index | archive | help
Revisiting this issue, here are 2 ideas that I have encountered: 1. since NAT is a stateful process in its own self, you usually don't want to have stateful rules for packets that were successfully translated to destine to your private network. It is easy quite to construct rules that divert proper packets to natd and allow 'natd recognized' packets immediately after divert rule(s). You can put other rules (e.g. stateful rules for gateway itself) after you are done with translated packets. This has added benefit in the case you use natd redirect_*, since you won't need to have a special matching ipfw rule for each redirect_* option. 2. or, you can use this quite elegant ruleset utilizing skipto rule http://www.unixfaq.ru/index.pl?req=qs&id=286 the page is in Russian, but rules are in ipfw-ish :-) and each has a comment in English. Decide for yourself, do you trust natd and could use a tiny perfomance benefit, or you want to be as secure as possible double-checking natd with ipfw. -- Andriy Gapon * "Never try to outstubborn a cat." Lazarus Long, "Time Enough for Love" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021023200139.R79979-100000>