From owner-freebsd-current Thu Feb 24 4: 7: 2 2000 Delivered-To: freebsd-current@freebsd.org Received: from geocities.com (mail8.geocities.com [209.1.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 0EA3F37BBB2 for ; Thu, 24 Feb 2000 04:06:58 -0800 (PST) (envelope-from arnee@geocities.com) Received: from geocities.com (mg131-061.ricochet.net [204.179.131.61]) by geocities.com (8.9.3/8.9.3) with ESMTP id EAA00347 for ; Thu, 24 Feb 2000 04:07:00 -0800 (PST) Message-ID: <38B5206E.E84E7AC3@geocities.com> Date: Thu, 24 Feb 2000 04:13:34 -0800 From: arnee X-Mailer: Mozilla 4.7 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-current@FreeBSD.ORG Subject: Re: natd, firewall, and RFC1918...? apologies! References: <38B50B92.2D399CA3@geocities.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG sorry, i'm suppose to post this under freebsd-questions. this should teach me posting early in the morning :-) To continue the questions... if the sample ipfw rule "deny all from any to 192.168.0.0/16 via outside_interfaces" doesn't always work. Should it be included in the rc.firewall example? arnee wrote: > I have been wondering what the right answer to this scenario is. Here is > the scenario: > > machine A -- outside ip (internet) > machine B -- router, natd, registered ip and set to stop RFC1918 on the > public interface > machine C -- inside LAN, unregisterd ip 192.168.0.0/16 > > When I connect to machine A from machine C, machine B (natd) seems to > translate the addresses correctly like this: > > Out [TCP] "machine C's ip" --> "machine A's ip" aliased to > [TCP] "machine B's ip" --> "machine A's ip" > > but when the packet comes back in, I get this: > > In [TCP] "machine A's ip" --> "machine B's ip" aliased to > [TCP] "machine A's ip" --> "machine C's ip" > ^ ^ ^ ^ ^ ^ ^ ^ > > and this brakes my ipfw rule of: > > "deny ip from any to 192.168.0.0/16 via outside_interface" ... which is > part of the example from rc.firewall "stopping RFC1918 on the public > interface." So, I always just delete this rule to get the packet inside > the LAN. > > questions are: > > 1. Is this right? Is natd behaving correctly when the packet comes back > in for unregistered ips? I would think that it would be aliased to like > this, "machine B's ip" --> machine C's ip".... like a proxy? But this > would still break the rule "... from any ...". > 2. If so, is it correct to not include the ipfw rule above when stopping > RFC1918? Better yet, what is the correct way of writing the rule? > > correct me if my assumptions are wrong. > > using 4.0current-2000.02.14 > --- > arnee > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-current" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message