From owner-freebsd-stable Mon Jul 10 16:35:46 2000 Delivered-To: freebsd-stable@freebsd.org Received: from mail2.rdc3.on.home.com (mail2.rdc3.on.home.com [24.2.9.41]) by hub.freebsd.org (Postfix) with ESMTP id C948837B75C for ; Mon, 10 Jul 2000 16:34:38 -0700 (PDT) (envelope-from cwass99@home.com) Received: from tristan.net ([24.114.108.234]) by mail2.rdc3.on.home.com (InterMail vM.4.01.03.00 201-229-121) with ESMTP id <20000710233429.DWSJ15084.mail2.rdc3.on.home.com@tristan.net>; Mon, 10 Jul 2000 16:34:29 -0700 Content-Length: 1648 Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Mon, 10 Jul 2000 19:26:36 -0400 (EDT) From: Colin To: Doug White Subject: Re: natd inconsistencies Cc: freebsd-stable@FreeBSD.ORG Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 10-Jul-00 Doug White wrote: > On Sun, 9 Jul 2000, Colin wrote: > >> The man page recommends putting the divert rule as close to the >> beginning >> of the rule set as possible, and the default rule sets seem consistent >> with this. I noticed, though, that if I didn't put the rule "deny ip from >> 192.168.0.0/24 to any in recv ed1" before the divert rule nothing from my >> internal network (which just happens to be 192.168.0.0/24) would get >> through. I >> assume the prevent-spoofing rules for private networks rules would have the >> sam > > This rule would block traffic destined for your own network -- you > antispoofed yourself! :) It *MUST* be before translation takes place, > and also make sure ed1 is the external interface. > > The 'log' option and 'ipfw show' are handy for firewall debugging. > I found this rule was the problem using ipfw show (a very useful command when you're building a ruleset to see what is blocking you) which is why I moved it. My concern is that it shouldn't block packets from an external source (eg www.FreeBSD.org ;) to 192.168.0.0/24. It should only block packets from that network incoming on the external interface. I understood natd would alter the dest addr on the inbound packet if it was in the table but not touch the source addr. Is this not the case? Or am I missing something obvious in the operation? Cheers, Colin > Doug White | FreeBSD: The Power to Serve > dwhite@resnet.uoregon.edu | www.FreeBSD.org > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message