From owner-freebsd-questions  Fri May  8 13:24:58 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA00499
          for freebsd-questions-outgoing; Fri, 8 May 1998 13:24:58 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from frodo.epigram.com (gated.epigram.com [209.0.75.3])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA00433
          for <freebsd-questions@freebsd.org>; Fri, 8 May 1998 13:24:44 -0700 (PDT)
          (envelope-from brandon@epigram.com)
Received: from epigram.com (berio [10.100.100.31])
	by frodo.epigram.com (8.8.5/8.8.5) with ESMTP id NAA09923
	for <freebsd-questions@freebsd.org>; Fri, 8 May 1998 13:24:39 -0700 (PDT)
Message-ID: <355369A7.C72AA055@epigram.com>
Date: Fri, 08 May 1998 13:23:03 -0700
From: Brandon Huey <brandon@epigram.com>
Reply-To: bh@epigram.com
Organization: Epigram, Inc.
X-Mailer: Mozilla 4.04 [en] (X11; I; FreeBSD 2.2.6-RELEASE i386)
MIME-Version: 1.0
To: freebsd-questions@FreeBSD.ORG
Subject: ipfw & natd rule precedence
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

i'm a little confused about who enforces filtering rules on a gateway
using ipfw & natd together.
 
from what i've been reading i understand this:
 
every incoming packet gets checked against the ipfw rules. a divert rule
binds all packets from any interface to any interface to a specific port
on which natd runs.
 
now, knowing that, it sounds like natd (which has facilities for this)
should enforce any further port/protocol filtering because ipfw is
finished with these packets.
 
but, i have also read that natd always puts packets it handles back into
the incoming stream where they are once again checked against ipfw rules
(but _ignoring_ the divert)...
 
knowing that, it seems like i could continue using
additional ipfw rules (but only against now-aliased packets?)  
 
what is right?
 
also, are there significant performance hits because of natd running as
a user process?
 
thanks

-- 
 
Brandon Huey		Epigram, Inc.
bh@epigram.com		+1 408 720 3027

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message