Date: 25 Feb 2000 16:44:15 -0800 From: Joel Ray Holveck <joelh@gnu.org> To: arnee <arnee@geocities.com> Cc: freebsd-current@FreeBSD.ORG Subject: Re: natd, firewall, and RFC1918...? Message-ID: <86ema0ssgw.fsf@detlev.piqnet.org> In-Reply-To: arnee's message of "Thu, 24 Feb 2000 02:44:34 -0800" References: <38B50B92.2D399CA3@geocities.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> 1. Is this right? Is natd behaving correctly when the packet comes back > in for unregistered ips? I would think that it would be aliased to like > this, "machine B's ip" --> machine C's ip".... like a proxy? But this > would still break the rule "... from any ...". I am going to assert that the behavior shown is correct. If you were to change the IP, then machine C would not recognize the packet as part of the same connection. If you want a proxy, use a proxy. If you want NAT, that's something different. I simply address the issue by blocking those packets on a rule before I send them through the NAT. This also has the advantage that after the NAT line, I know that anything internal is part of an established connection; that's invaluable for UDP, or was before we added dynamic rule support. Best, joelh -- Joel Ray Holveck - joelh@gnu.org Fourth law of programming: Anything that can go wrong wi sendmail: segmentation violation - core dumped To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86ema0ssgw.fsf>