From owner-freebsd-security Tue Dec 14 16: 8:49 1999 Delivered-To: freebsd-security@freebsd.org Received: from pasteur.EECS.Berkeley.EDU (pasteur.EECS.Berkeley.EDU [128.32.138.75]) by hub.freebsd.org (Postfix) with ESMTP id 8CEF3151F9 for ; Tue, 14 Dec 1999 16:08:37 -0800 (PST) (envelope-from sowings@pasteur.EECS.Berkeley.EDU) Received: from mamba.CS.Berkeley.EDU (mamba.CS.Berkeley.EDU [128.32.43.159]) by pasteur.EECS.Berkeley.EDU (8.9.3+Sun/8.9.1) with ESMTP id QAA25778 for ; Tue, 14 Dec 1999 16:08:25 -0800 (PST) Received: from mamba.CS.Berkeley.EDU (localhost [127.0.0.1]) by mamba.CS.Berkeley.EDU (8.9.3+Sun/8.9.1) with ESMTP id QAA10142 for ; Tue, 14 Dec 1999 16:08:25 -0800 (PST) Message-Id: <199912150008.QAA10142@mamba.CS.Berkeley.EDU> To: freebsd-security@freebsd.org Subject: Firewall and NAT, step-by-step? Date: Tue, 14 Dec 1999 16:08:25 -0800 From: Sanford Owings Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm trying to set up a firewall with transparent proxying, and I suspect that the right combination of firewall rules and NAT will do what I want. The problem is that I'm stymied by the exact order of the process. /etc/rc.firewall states that an incoming packet translated by natd will then "reenter the firewall". Does this mean that the packet begins again at rule 0, and if so, what exactly is its state? Most specifically, what interface is it hitting, and which way is it going? Can I finagle something useful out of "recv, xmit, in, out", etc? I have attempted to figure out what's going on by opening the firewall, starting nat and having a client machine ping or nslookup or try some other equally simple action while watching the inbound and outbound interfaces with tcpdump. I can see the way packets move on the wire, but not how they bang around the kernel. With the firewall rules in place, the outbound tcpdump sees exactly 0 packets. Any help would be greatly appreciated. -- Sanford Owings EECS Instructional Group Staff University of California at Berkeley To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message