From owner-freebsd-security@FreeBSD.ORG  Sat May 31 02:21:49 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 67A8F37B404
	for <freebsd-security@freebsd.org>;
	Sat, 31 May 2003 02:21:49 -0700 (PDT)
Received: from irpen.kiev.ua (irpen.kiev.ua [195.178.133.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 02BEC43F3F
	for <freebsd-security@freebsd.org>;
	Sat, 31 May 2003 02:21:47 -0700 (PDT)
	(envelope-from duke@irpen.kiev.ua)
Received: from irpen.kiev.ua (localhost.irpen.kiev.ua [127.0.0.1])
	by irpen.kiev.ua (8.12.8p1/8.12.8) with ESMTP id h4V9KTrt019098
	for <freebsd-security@freebsd.org>;
	Sat, 31 May 2003 12:21:42 +0300 (EEST)
	(envelope-from duke@irpen.kiev.ua)
Received: (from duke@localhost)
	by irpen.kiev.ua (8.12.8p1/8.12.8/Submit) id h4V9KSAw019097
	for freebsd-security@freebsd.org;
	Sat, 31 May 2003 12:20:28 +0300 (EEST)	(envelope-from duke)
Date: Sat, 31 May 2003 12:20:28 +0300
From: Vandyuk Eugene <duke@irpen.kiev.ua>
To: freebsd-security@freebsd.org
Message-ID: <20030531122028.A16361@irpen.kiev.ua>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Subject: Packet flow through IPFW+IPF+IPNAT ?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 31 May 2003 09:21:49 -0000

   Hi.

   On my FreeBSD 4.8 configured IPFW2+IPF+IPNAT and I use them all:
   - IPFW - traffic accounting, shaping, balancing and filtering;
   - IPFilter - policy routing;
   - IPNAT - masquerading.
   I want to know, how IP-packets flow through all of this components?
What's the path?
   incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ?
   outgoing: IPFW Layer2 -> IPFW&Dummynet -> IPFilter -> IPNAT ?
Is this correct? Or IPNAT on the incoming packets run before IPFW L3:
   incoming: IPFW Layer2 -> IPNAT -> IPFW&Dummynet -> IPFilter ?
I think this path is more preferable, because IPFW always use not
masqueraded IP-headers.

Any help appreciated.