Date: Mon, 14 Jan 2002 09:40:23 +0100 From: Andreas Klemm <andreas@FreeBSD.ORG> To: "Crist J . Clark" <cjc@FreeBSD.ORG> Cc: freebsd-net@FreeBSD.ORG Subject: Re: FIREWALL_FORWARD vs. using /sbin/natd ? Message-ID: <20020114084023.GB1929@titan.klemm.gtn.com> In-Reply-To: <20020113232541.E24290@blossom.cjclark.org> References: <20020113105636.GA88221@titan.klemm.gtn.com> <20020113232541.E24290@blossom.cjclark.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Sun, Jan 13, 2002 at 11:25:41PM -0800, Crist J . Clark wrote: > On Sun, Jan 13, 2002 at 11:56:36AM +0100, Andreas Klemm wrote: > > I found a document describing a firewall design only using natd > > for redirects to internal network resources. (Hi Marshall, therefore > > Cc: to you, since its yours and I have a question). > > > > http://www.rootprompt.net/freebsd_firewall.html > > > > Based on these informations I think I could get rid of natd entirely. > > Why do you say that? His example uses natd(8). He uses it only on the internal network card to redirect 2 application to inside machines. Look in the config ! > > See my previous mail, my problem was, that I can't get it to run > > for a typical 2 NIC configuration with internal network, DMZ and > > a router in front of a 512k leased line. > > You didn't inlcude your firewall rules. I only send it privately. They are, as I told the templates from "simple", I only added ssh ... but this doesn't break the logic. > > Or is this my NAT problem, that additionally I have to use the kernel > > option FIREWALL_FORWARD, > > You don't need it. o.k. > > to get NAT for internal users running, > > 'though all other documents state out, that only IPFIREWALL and > > IPDIVERT are needed ??? > > But it shouldn't cause problems. > > > Therefore the question, is using FIREWALL_FORWARD a good > > replacement for /sbin/natd if you want to give users of > > the internal network access to the outside world ? > > FIREWALL_FORWARD has nothing to do with NAT. > > > Are there some things to take care of, when using FIREWALL_FORWARD ? > > Yes, but nothing to do with NAT. BUT WHAT does FIREWALL_FORWARD actually does ???? What happens if I define it in kernel, stop nat ? Can internal machines communicate to outside then ? What can outside machines do then ? Produces it a whole in the firewall ? Or is it something like NAT staeful ? Andreas /// -- Andreas Klemm - Powered by FreeBSD Need a magic printfilter today ? http://www.apsfilter.org/ Songs from our band >> 64Bits << http://www.64bits.de Inofficial band pages with add-on stuff http://www.apsfilter.org/64bits.html [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE8Qpl2d3o+lGxvbLoRAntbAKC5D2dIiwKTDE1SB/o7jddZdaS9eQCgsLte MHO6ix4+ksKW91txgjUJkXM= =at1W -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020114084023.GB1929>