From owner-freebsd-security@FreeBSD.ORG Mon Jun 2 07:48:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6397637B404 for ; Mon, 2 Jun 2003 07:48:29 -0700 (PDT) Received: from mx.vipnet.ro (cosmic.vipnet.ro [193.230.219.1]) by mx1.FreeBSD.org (Postfix) with SMTP id 678EB43F93 for ; Mon, 2 Jun 2003 07:48:28 -0700 (PDT) (envelope-from vladg@vipnet.ro) Received: (qmail 12927 invoked from network); 2 Jun 2003 14:49:22 -0000 Received: from unknown (HELO rtfm.vipnet.ro) (193.230.219.12) by cosmic.vipnet.ro with SMTP; 2 Jun 2003 14:49:22 -0000 Date: Mon, 2 Jun 2003 17:47:58 +0300 From: Vlad GALU To: freebsd-security@freebsd.org Message-Id: <20030602174758.3f85db72.vladg@vipnet.ro> In-Reply-To: <20030602104108.Q40213@localhost> References: <20030531122028.A16361@irpen.kiev.ua> <20030602104108.Q40213@localhost> Organization: VipNET Bucharest X-Mailer: Sylpheed version 0.8.11 (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Packet flow through IPFW+IPF+IPNAT ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 02 Jun 2003 14:48:30 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 2 Jun 2003 10:43:07 -0400 (EDT) Matthew George wrote: > On Sat, 31 May 2003, Vandyuk Eugene wrote: > > > Hi. > > > > On my FreeBSD 4.8 configured IPFW2+IPF+IPNAT and I use them all: > > - IPFW - traffic accounting, shaping, balancing and filtering; > > - IPFilter - policy routing; > > - IPNAT - masquerading. > > I want to know, how IP-packets flow through all of this components? > > What's the path? > > incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ? > > outgoing: IPFW Layer2 -> IPFW&Dummynet -> IPFilter -> IPNAT ? > > Is this correct? Or IPNAT on the incoming packets run before IPFW L3: > > incoming: IPFW Layer2 -> IPNAT -> IPFW&Dummynet -> IPFilter ? > > I think this path is more preferable, because IPFW always use not > > masqueraded IP-headers. > > > > Any help appreciated. Example one: IPF is compiled in kernel, IPFW is a module. In this case IPFW stands 'outside' of IPF. Example two: viceversa: the order in which they take action is reversed too. IPNAT is always 'outside' IPF. > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > > > I have ipfw compiled in and run ipfilter as a kld > > the way it works is ipfw -> ipnat -> ipfilter > > ipnat and all state matching for ipfilter is performed prior to ruleset > processing > > -- > Matthew George > SecureWorks Technical Operations > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > - -- Vlad Galu Network Administrator VipNET Bucharest tel: 021/3039940 email: vladg@vipnet.ro web: http://www.vipnet.ro PGP: http://mirapoint.vipnet.ro/public_key.pgp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE+22OeBQlxy6GegvARArZcAKDna8UnnCFkI3QJmxYcEynliRYV5QCfSoJY afb5pCCY5ZJpEfwKLs4oMYU= =tR6I -----END PGP SIGNATURE-----