From owner-freebsd-security@FreeBSD.ORG  Mon Jun  2 08:19:33 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 477E837B401
	for <freebsd-security@freebsd.org>;
	Mon,  2 Jun 2003 08:19:33 -0700 (PDT)
Received: from irpen.kiev.ua (irpen.kiev.ua [195.178.133.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 6B97143F85
	for <freebsd-security@freebsd.org>;
	Mon,  2 Jun 2003 08:19:30 -0700 (PDT)
	(envelope-from duke@irpen.kiev.ua)
Received: from irpen.kiev.ua (localhost.irpen.kiev.ua [127.0.0.1])
	by irpen.kiev.ua (8.12.8p1/8.12.8) with ESMTP id h52FI2rt027862;
	Mon, 2 Jun 2003 18:19:25 +0300 (EEST)
	(envelope-from duke@irpen.kiev.ua)
Received: (from duke@localhost)
	by irpen.kiev.ua (8.12.8p1/8.12.8/Submit) id h52FHr6e027859;
	Mon, 2 Jun 2003 18:17:53 +0300 (EEST)
	(envelope-from duke)
Date: Mon, 2 Jun 2003 18:17:53 +0300
From: Vandyuk Eugene <duke@irpen.kiev.ua>
To: Matthew George <mdg@secureworks.net>
Message-ID: <20030602181753.A27202@irpen.kiev.ua>
References: <20030531122028.A16361@irpen.kiev.ua>
	<20030602104108.Q40213@localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20030602104108.Q40213@localhost>;
	from mdg@secureworks.net on Mon, Jun 02, 2003 at 10:43:07AM -0400
cc: freebsd-security@freebsd.org
Subject: Re: Packet flow through IPFW+IPF+IPNAT ?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jun 2003 15:19:33 -0000

On Mon, Jun 02, 2003 at 10:43:07AM -0400, Matthew George wrote:
> On Sat, 31 May 2003, Vandyuk Eugene wrote:
>
> > What's the path?
> >    incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ?
> >    outgoing: IPFW Layer2 -> IPFW&Dummynet -> IPFilter -> IPNAT ?
> > Is this correct? Or IPNAT on the incoming packets run before IPFW L3:
> >    incoming: IPFW Layer2 -> IPNAT -> IPFW&Dummynet -> IPFilter ?
> > I think this path is more preferable, because IPFW always use not
> > masqueraded IP-headers.
> >
>
> I have ipfw compiled in and run ipfilter as a kld
>
> the way it works is ipfw -> ipnat -> ipfilter
>
> ipnat and all state matching for ipfilter is performed prior to ruleset
> processing
>

But this way only for incoming packets. And wat's the way for outgoing?
  IPFW -> IPFilter -> IPNAT   OR   IPFilter -> IPNAT -> IPFW  ???