Date: Mon, 2 Jun 2003 18:17:53 +0300 From: Vandyuk Eugene <duke@irpen.kiev.ua> To: Matthew George <mdg@secureworks.net> Cc: freebsd-security@freebsd.org Subject: Re: Packet flow through IPFW+IPF+IPNAT ? Message-ID: <20030602181753.A27202@irpen.kiev.ua> In-Reply-To: <20030602104108.Q40213@localhost>; from mdg@secureworks.net on Mon, Jun 02, 2003 at 10:43:07AM -0400 References: <20030531122028.A16361@irpen.kiev.ua> <20030602104108.Q40213@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jun 02, 2003 at 10:43:07AM -0400, Matthew George wrote: > On Sat, 31 May 2003, Vandyuk Eugene wrote: > > > What's the path? > > incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ? > > outgoing: IPFW Layer2 -> IPFW&Dummynet -> IPFilter -> IPNAT ? > > Is this correct? Or IPNAT on the incoming packets run before IPFW L3: > > incoming: IPFW Layer2 -> IPNAT -> IPFW&Dummynet -> IPFilter ? > > I think this path is more preferable, because IPFW always use not > > masqueraded IP-headers. > > > > I have ipfw compiled in and run ipfilter as a kld > > the way it works is ipfw -> ipnat -> ipfilter > > ipnat and all state matching for ipfilter is performed prior to ruleset > processing > But this way only for incoming packets. And wat's the way for outgoing? IPFW -> IPFilter -> IPNAT OR IPFilter -> IPNAT -> IPFW ???
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030602181753.A27202>