From owner-freebsd-current  Fri Feb 25 16:42:46 2000
Delivered-To: freebsd-current@freebsd.org
Received: from heimdall.piqnet.org (adsl-63-197-64-194.dsl.snfc21.pacbell.net [63.197.64.194])
	by hub.freebsd.org (Postfix) with ESMTP id A8F4937BEC4
	for <freebsd-current@FreeBSD.ORG>; Fri, 25 Feb 2000 16:42:39 -0800 (PST)
	(envelope-from joelh@gnu.org)
Received: from detlev.piqnet.org (adsl-63-197-64-195.dsl.snfc21.pacbell.net [63.197.64.195])
	by heimdall.piqnet.org (8.9.3/8.9.3) with ESMTP id QAA12492;
	Fri, 25 Feb 2000 16:47:04 -0800 (PST)
	(envelope-from joelh@gnu.org)
Received: (from joelh@localhost)
	by detlev.piqnet.org (8.9.3/8.9.3) id QAA82020;
	Fri, 25 Feb 2000 16:44:16 -0800 (PST)
	(envelope-from joelh@gnu.org)
X-Authentication-Warning: detlev.piqnet.org: joelh set sender to joelh@gnu.org using -f
To: arnee <arnee@geocities.com>
Cc: freebsd-current@FreeBSD.ORG
Subject: Re: natd, firewall, and RFC1918...?
References: <38B50B92.2D399CA3@geocities.com>
From: Joel Ray Holveck <joelh@gnu.org>
Date: 25 Feb 2000 16:44:15 -0800
In-Reply-To: arnee's message of "Thu, 24 Feb 2000 02:44:34 -0800"
Message-ID: <86ema0ssgw.fsf@detlev.piqnet.org>
Lines: 26
X-Mailer: Gnus v5.7/Emacs 20.5
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> 1. Is this right? Is natd behaving correctly when the packet comes back
> in for unregistered ips? I would think that it would be aliased to like
> this, "machine B's ip" --> machine C's ip".... like a proxy? But this
> would still break the rule "... from any ...".

I am going to assert that the behavior shown is correct.  If you were
to change the IP, then machine C would not recognize the packet as
part of the same connection.

If you want a proxy, use a proxy.  If you want NAT, that's something
different.

I simply address the issue by blocking those packets on a rule before
I send them through the NAT.  This also has the advantage that after
the NAT line, I know that anything internal is part of an established
connection; that's invaluable for UDP, or was before we added dynamic
rule support.

Best,
joelh

-- 
Joel Ray Holveck - joelh@gnu.org
   Fourth law of programming:
   Anything that can go wrong wi
sendmail: segmentation violation - core dumped


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message