From owner-freebsd-questions Fri May 8 15:46:25 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id PAA01385 for freebsd-questions-outgoing; Fri, 8 May 1998 15:46:25 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA01288 for ; Fri, 8 May 1998 15:45:40 -0700 (PDT) (envelope-from julian@whistle.com) Received: (from daemon@localhost) by alpo.whistle.com (8.8.5/8.8.5) id PAA04521; Fri, 8 May 1998 15:40:28 -0700 (PDT) Received: from current1.whistle.com(207.76.205.22) via SMTP by alpo.whistle.com, id smtpd004517; Fri May 8 22:40:25 1998 Date: Fri, 8 May 1998 15:40:01 -0700 (PDT) From: Julian Elischer To: bh@epigram.com cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw & natd rule precedence In-Reply-To: <355369A7.C72AA055@epigram.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Fri, 8 May 1998, Brandon Huey wrote: > i'm a little confused about who enforces filtering rules on a gateway > using ipfw & natd together. > > from what i've been reading i understand this: > > every incoming packet gets checked against the ipfw rules. a divert rule > binds all packets from any interface to any interface to a specific port > on which natd runs. > > now, knowing that, it sounds like natd (which has facilities for this) > should enforce any further port/protocol filtering because ipfw is > finished with these packets. > > but, i have also read that natd always puts packets it handles back into > the incoming stream where they are once again checked against ipfw rules > (but _ignoring_ the divert)... Yes.. however there is a move afoot to make the reinjected packets be reinjected AFTER the divert rule so don't DEPEND on this behaviour. The behavioural changes to IPFW would be: the "SKIPTO" operation would become more efficient DIVERT daemons could specify the rule after which an injected packet should start being checked. this would allow the partitionning of rulesets into sub-rulesets for efficiency and ease of understanding. You could then partition the ruleset into differnt parts for pre and post translation (for example). I have done some work towards this but not coded it yet. > > knowing that, it seems like i could continue using > additional ipfw rules (but only against now-aliased packets?) > > what is right? yes. you could use the SKIPTO rule (though it's not too efficient now) to isolate post-translated packets (by some unknown method) to a separate ruleset but it would be more difficult. > > also, are there significant performance hits because of natd running as > a user process? Well we can address translate an ethernet but it takes a lot of the CPU to do it.. (P130) > > thanks > > -- > > Brandon Huey Epigram, Inc. > bh@epigram.com +1 408 720 3027 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message