From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 07:43:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49A4E37B413 for ; Mon, 2 Jun 2003 07:43:09 -0700 (PDT) Received: from mail.secureworks.net (mail.secureworks.net [209.101.212.155]) by mx1.FreeBSD.org (Postfix) with SMTP id 6963B43F85 for ; Mon, 2 Jun 2003 07:43:08 -0700 (PDT) (envelope-from mdg@secureworks.net) Received: (qmail 87524 invoked from network); 2 Jun 2003 14:40:49 -0000 Received: from unknown (HELO HOST-192-168-17-31.internal.secureworks.net) (209.101.212.253) by mail.secureworks.net with SMTP; 2 Jun 2003 14:40:49 -0000 Date: Mon, 2 Jun 2003 10:43:07 -0400 (EDT) From: Matthew George X-X-Sender: mdg@localhost To: Vandyuk Eugene In-Reply-To: <20030531122028.A16361@irpen.kiev.ua> Message-ID: <20030602104108.Q40213@localhost> References: <20030531122028.A16361@irpen.kiev.ua> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Packet flow through IPFW+IPF+IPNAT ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 14:43:09 -0000 On Sat, 31 May 2003, Vandyuk Eugene wrote: > Hi. > > On my FreeBSD 4.8 configured IPFW2+IPF+IPNAT and I use them all: > - IPFW - traffic accounting, shaping, balancing and filtering; > - IPFilter - policy routing; > - IPNAT - masquerading. > I want to know, how IP-packets flow through all of this components? > What's the path? > incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ? > outgoing: IPFW Layer2 -> IPFW&Dummynet -> IPFilter -> IPNAT ? > Is this correct? Or IPNAT on the incoming packets run before IPFW L3: > incoming: IPFW Layer2 -> IPNAT -> IPFW&Dummynet -> IPFilter ? > I think this path is more preferable, because IPFW always use not > masqueraded IP-headers. > > Any help appreciated. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" > I have ipfw compiled in and run ipfilter as a kld the way it works is ipfw -> ipnat -> ipfilter ipnat and all state matching for ipfilter is performed prior to ruleset processing -- Matthew George SecureWorks Technical Operations