From owner-freebsd-net Mon Jan 14 0:50:16 2002 Delivered-To: freebsd-net@freebsd.org Received: from mail.du.gtn.com (mail.du.gtn.com [194.77.9.57]) by hub.freebsd.org (Postfix) with ESMTP id 322CD37B417; Mon, 14 Jan 2002 00:50:12 -0800 (PST) Received: (from uucp@localhost) by mail.du.gtn.com (8.11.0.Beta3/8.11.0.Beta3) id g0E8oAe22605; Mon, 14 Jan 2002 09:50:10 +0100 (MET) >Received: (from andreas@localhost) by klemm.gtn.com (8.11.6/8.11.3) id g0E8eND01983; Mon, 14 Jan 2002 09:40:23 +0100 (CET) (envelope-from andreas) Date: Mon, 14 Jan 2002 09:40:23 +0100 From: Andreas Klemm To: "Crist J . Clark" Cc: freebsd-net@FreeBSD.ORG Subject: Re: FIREWALL_FORWARD vs. using /sbin/natd ? Message-ID: <20020114084023.GB1929@titan.klemm.gtn.com> References: <20020113105636.GA88221@titan.klemm.gtn.com> <20020113232541.E24290@blossom.cjclark.org> Mime-Version: 1.0 Content-Disposition: inline In-Reply-To: <20020113232541.E24290@blossom.cjclark.org> User-Agent: Mutt/1.3.23.1i X-Operating-System: FreeBSD 4.5-RC X-Disclaimer: A free society is one where it is safe to be unpopular Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="BwCQnh7xodEAoBMC" Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --BwCQnh7xodEAoBMC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jan 13, 2002 at 11:25:41PM -0800, Crist J . Clark wrote: > On Sun, Jan 13, 2002 at 11:56:36AM +0100, Andreas Klemm wrote: > > I found a document describing a firewall design only using natd > > for redirects to internal network resources. (Hi Marshall, therefore > > Cc: to you, since its yours and I have a question). > >=20 > > http://www.rootprompt.net/freebsd_firewall.html > >=20 > > Based on these informations I think I could get rid of natd entirely. >=20 > Why do you say that? His example uses natd(8). He uses it only on the internal network card to redirect=20 2 application to inside machines. Look in the config ! > > See my previous mail, my problem was, that I can't get it to run > > for a typical 2 NIC configuration with internal network, DMZ and > > a router in front of a 512k leased line. >=20 > You didn't inlcude your firewall rules. I only send it privately. They are, as I told the templates from "simple", I only added ssh ... but this doesn't break the logic. > > Or is this my NAT problem, that additionally I have to use the kernel > > option FIREWALL_FORWARD, >=20 > You don't need it. o.k. > > to get NAT for internal users running, > > 'though all other documents state out, that only IPFIREWALL and > > IPDIVERT are needed ??? >=20 > But it shouldn't cause problems. >=20 > > Therefore the question, is using FIREWALL_FORWARD a good > > replacement for /sbin/natd if you want to give users of > > the internal network access to the outside world ? >=20 > FIREWALL_FORWARD has nothing to do with NAT. >=20 > > Are there some things to take care of, when using FIREWALL_FORWARD ? >=20 > Yes, but nothing to do with NAT. BUT WHAT does FIREWALL_FORWARD actually does ???? What happens if I define it in kernel, stop nat ? Can internal machines communicate to outside then ? What can outside machines do then ? Produces it a whole in the firewall ? Or is it something like NAT staeful ? Andreas /// --=20 Andreas Klemm - Powered by FreeBSD Need a magic printfilter today ? http://www.apsfilter.org/ Songs from our band >> 64Bits << http://www.64bits.de Inofficial band pages with add-on stuff http://www.apsfilter.org/64bits.ht= ml --BwCQnh7xodEAoBMC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE8Qpl2d3o+lGxvbLoRAntbAKC5D2dIiwKTDE1SB/o7jddZdaS9eQCgsLte MHO6ix4+ksKW91txgjUJkXM= =at1W -----END PGP SIGNATURE----- --BwCQnh7xodEAoBMC-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message