From owner-freebsd-questions Sun Sep 8 9:54: 0 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B252D37B400 for ; Sun, 8 Sep 2002 09:53:55 -0700 (PDT) Received: from web14912.mail.yahoo.com (web14912.mail.yahoo.com [216.136.225.248]) by mx1.FreeBSD.org (Postfix) with SMTP id 6D4C143E4A for ; Sun, 8 Sep 2002 09:53:55 -0700 (PDT) (envelope-from nirv199@yahoo.com) Message-ID: <20020908165355.42165.qmail@web14912.mail.yahoo.com> Received: from [200.163.193.132] by web14912.mail.yahoo.com via HTTP; Sun, 08 Sep 2002 09:53:55 PDT Date: Sun, 8 Sep 2002 09:53:55 -0700 (PDT) From: Paulo Roberto Subject: Re: simple questions about ipfw + natd rules To: Paulo Roberto , freebsd-questions@freebsd.org In-Reply-To: <20020908163958.35715.qmail@web14912.mail.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG I forgot to ask one more question: is there a way to "keep-state" of a packet before it gets masqed? if i make the following rule: ipfw add 123 divert natd all from some_local_host to some_remote via ed1 keep-state It will get the packet state before it gets masqed? So when a packet of the same connection gets back, it will be accepted by a "check-state" rule? So when it is accepted, it will get back to the owner (natd process) and the it will get back to the first firewall rule? So then I need to add a rule like "pass all from some_remote to some_local_host"? Or that first "keep-state" rule will take care of it? TIA --- Paulo Roberto wrote: > Hello, > > I am having some trouble trying to picture the ipfw+natd algorithm to > implement my firewall rules. > > When I divert some packets to natd, natd then masqs them and resend > them to the firewall rule number one, right? It does not get to the > rule after the packet was diverted? > > So, in the same example, if I add a dynamic rule like "from me to any > keep-state", this rule will apply to this packet after it was masqed, > and when the response gets back it is accepted by a "check-state" > rule, > and then the "process owner" of this packet is *natd* and not the > original address, right? > > So the same packet is delivered to natd, and then natd de-masqs it > and > _again_ put it thru the firewall rule number one (and so on...)? > > So, in one packet going out or in, it gets processed *two* times by > all > firewall rules (of course, first match wins...), is this correct? > > I am just concerned about the processing time of each packet and its > delay time in a busy link. > > TIA > > PR > > __________________________________________________ > Do You Yahoo!? > Yahoo! Finance - Get real-time stock quotes > http://finance.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message