Date: Fri, 08 May 1998 13:23:03 -0700 From: Brandon Huey <brandon@epigram.com> To: freebsd-questions@FreeBSD.ORG Subject: ipfw & natd rule precedence Message-ID: <355369A7.C72AA055@epigram.com>
next in thread | raw e-mail | index | archive | help
i'm a little confused about who enforces filtering rules on a gateway using ipfw & natd together. from what i've been reading i understand this: every incoming packet gets checked against the ipfw rules. a divert rule binds all packets from any interface to any interface to a specific port on which natd runs. now, knowing that, it sounds like natd (which has facilities for this) should enforce any further port/protocol filtering because ipfw is finished with these packets. but, i have also read that natd always puts packets it handles back into the incoming stream where they are once again checked against ipfw rules (but _ignoring_ the divert)... knowing that, it seems like i could continue using additional ipfw rules (but only against now-aliased packets?) what is right? also, are there significant performance hits because of natd running as a user process? thanks -- Brandon Huey Epigram, Inc. bh@epigram.com +1 408 720 3027 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?355369A7.C72AA055>