From owner-freebsd-questions  Wed Dec 13 22:15:46 2000
From owner-freebsd-questions@FreeBSD.ORG  Wed Dec 13 22:15:44 2000
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from smtp.nwlink.com (smtp.nwlink.com [209.20.130.57])
	by hub.freebsd.org (Postfix) with ESMTP id 5036037B400
	for <freebsd-questions@freebsd.org>; Wed, 13 Dec 2000 22:15:44 -0800 (PST)
Received: from utah (jcwells@utah.nwlink.com [209.20.130.41])
	by smtp.nwlink.com (8.9.3/8.9.1) with SMTP id WAA23368
	for <freebsd-questions@freebsd.org>; Wed, 13 Dec 2000 22:15:43 -0800 (PST)
Date: Wed, 13 Dec 2000 22:29:55 -0800 (PST)
From: "Jason C. Wells" <jcwells@nwlink.com>
X-Sender: jcwells@utah
To: freebsd-questions@freebsd.org
Subject: Clarification on IPFW + NAT
Message-ID: <Pine.SOL.3.96.1001213222439.3092A-100000@utah>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I have my firewall working.  I am having trouble setting up parts of it
for things like UDP based games.  I know the how the games connect by
viewing tcpdump output.  Even with this info I am thwarted.  I gather that
I have a conceptual error somewhere that keeps me from figuring this out.

From the man pages I know that a packet running through a gateway is
passed through IPFW twice, presumably once for each interface.  I also
know that packets that are diverted re-enter at the next rule number.

Would someone please tell me if this flow chart of IPFW, NATD and
net.inet.ip.forwarding is correct?

The one question I have is when does the interface to which the packet
"belongs" change?  My best guess is shown below.

  Packet Passing from
  Internal to External

OIF= outside interface
IIF= inside interface

  The internal network  
          |
          |
         IIF
          |
          |
     IPFW Rules ---> Drop
          |
          |
        Pass
          |
          |
     Forward To OIF? ---> NO ---> IIF  ---> The internal network
          |
          |
         YES
          |
          |
     IPFW Rules ---> Drop
          |
          |
  Match divert rule at rule # N ---> NATD Mangles Packet
                                            |
                                            |
          ----------------------------------|
          |
  Re-enter IPFW at rule # N+1
          |
          |
         OIF
          |
          |
  The external network

Thank you,
Jason C. Wells



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message