From owner-freebsd-net  Mon Jan 14  1:19:56 2002
Delivered-To: freebsd-net@freebsd.org
Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8110437B419; Mon, 14 Jan 2002 01:19:47 -0800 (PST)
Received: from dialup-209.244.106.114.dial1.sanjose1.level3.net ([209.244.106.114] helo=blossom.cjclark.org)
	by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 16Q3HN-0002Wc-00; Mon, 14 Jan 2002 01:19:46 -0800
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.3) id g0E9Jd325745;
	Mon, 14 Jan 2002 01:19:39 -0800 (PST)
	(envelope-from cjc)
Date: Mon, 14 Jan 2002 01:19:39 -0800
From: "Crist J . Clark" <cristjc@earthlink.net>
To: Andreas Klemm <andreas@FreeBSD.ORG>
Cc: freebsd-net@FreeBSD.ORG
Subject: Re: FIREWALL_FORWARD vs. using /sbin/natd ?
Message-ID: <20020114011939.G24290@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20020113105636.GA88221@titan.klemm.gtn.com> <20020113232541.E24290@blossom.cjclark.org> <20020114084023.GB1929@titan.klemm.gtn.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20020114084023.GB1929@titan.klemm.gtn.com>; from andreas@FreeBSD.ORG on Mon, Jan 14, 2002 at 09:40:23AM +0100
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Mon, Jan 14, 2002 at 09:40:23AM +0100, Andreas Klemm wrote:
> On Sun, Jan 13, 2002 at 11:25:41PM -0800, Crist J . Clark wrote:
> > On Sun, Jan 13, 2002 at 11:56:36AM +0100, Andreas Klemm wrote:
> > > I found a document describing a firewall design only using natd
> > > for redirects to internal network resources. (Hi Marshall, therefore
> > > Cc: to you, since its yours and I have a question).
> > > 
> > > 	http://www.rootprompt.net/freebsd_firewall.html
> > > 
> > > Based on these informations I think I could get rid of natd entirely.
> > 
> > Why do you say that? His example uses natd(8).
> 
> He uses it only on the internal network card to redirect 
> 2 application to inside machines. Look in the config !

It is also there for any machine on his 192.168.1.0/24 internal
network to communicate with machines out on the Internet, and it is
running on the _external_ interface (fxp0) not the internal one.

[snip]

> > > Are there some things to take care of, when using FIREWALL_FORWARD ?
> > 
> > Yes, but nothing to do with NAT.
> 
> BUT WHAT does FIREWALL_FORWARD actually does ????

Look for 'fwd' in ipfw(8).

> What happens if I define it in kernel, stop nat ?

Nothing to do with NAT. It's for making 'fwd' rules.
-- 
"It's always funny until someone gets hurt. Then it's hilarious."

Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message