From owner-freebsd-net  Fri Feb 15 10:34:29 2002
Delivered-To: freebsd-net@freebsd.org
Received: from mail.wolves.k12.mo.us (mail.wolves.k12.mo.us [207.160.214.1])
	by hub.freebsd.org (Postfix) with ESMTP
	id 96C0937B404; Fri, 15 Feb 2002 10:34:08 -0800 (PST)
Received: from mail.wolves.k12.mo.us (cdillon@mail.wolves.k12.mo.us [207.160.214.1])
	by mail.wolves.k12.mo.us (8.9.3/8.9.3) with ESMTP id MAA05061;
	Fri, 15 Feb 2002 12:34:00 -0600 (CST)
	(envelope-from cdillon@wolves.k12.mo.us)
Date: Fri, 15 Feb 2002 12:33:58 -0600 (CST)
From: Chris Dillon <cdillon@wolves.k12.mo.us>
To: "Earl A. Killian" <earl@killian.com>
Cc: "Rogier R. Mulhuijzen" <drwilco@drwilco.net>,
	Michael Sierchio <kudzu@tenebras.com>, Luigi Rizzo <rizzo@icir.org>,
	<freebsd-ipfw@FreeBSD.ORG>, <freebsd-net@FreeBSD.ORG>
Subject: Re: Bug in stateful code?
In-Reply-To: <15469.17124.999950.13271@sax.killian.com>
Message-ID: <Pine.BSF.4.32.0202151230530.4916-100000@mail.wolves.k12.mo.us>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-net@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-net.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-net>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-net>
X-Loop: FreeBSD.org

On Fri, 15 Feb 2002, Earl A. Killian wrote:

> Chris Dillon writes:
>  > Date: Fri, 15 Feb 2002 10:20:39 -0600 (CST)
>  > From: Chris Dillon <cdillon@wolves.k12.mo.us>
>  >
>  > If you have the luxury of having more than one IP address available
>  > for the outside interface, you can dedicate one address to natd's use,
>  > and the other to the host machine.  Use -deny_incoming on natd, and
>  > use whatever rules you want, including stateful, on the non-NAT
>  > address.  This is what I've done and it works fine.
>
> This sounds promising, but I am confused by the man page on
> -deny_incoming.  Perhaps you could clarify?  It says, "Do not pass
> incoming packets that have no entry in the internal translation
> table."  Which internal translation table do they mean?

The translation table in natd.  The -deny-incoming option is designed
to deny incoming connections to the host, not the internal machines.
By design you can't create an incoming connection to internal machines
without redirect rules in place anyway.

--
 Chris Dillon - cdillon@wolves.k12.mo.us - cdillon@inter-linc.net
 FreeBSD: The fastest and most stable server OS on the planet
 - Available for IA32 (Intel x86) and Alpha architectures
 - IA64, PowerPC, UltraSPARC, and ARM architectures under development
 - http://www.freebsd.org



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message