From owner-freebsd-questions  Mon Dec 15 08:34:04 1997
Return-Path: <owner-freebsd-questions>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id IAA11122
          for questions-outgoing; Mon, 15 Dec 1997 08:34:04 -0800 (PST)
          (envelope-from owner-freebsd-questions)
Received: from Kitten.mcs.com (Kitten.mcs.com [192.160.127.90])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id IAA11117
          for <questions@freebsd.org>; Mon, 15 Dec 1997 08:34:02 -0800 (PST)
          (envelope-from font@Jupiter.Mcs.Net)
Received: from Jupiter.Mcs.Net (font@Jupiter.mcs.net [192.160.127.88]) by Kitten.mcs.com (8.8.7/8.8.2) with ESMTP id KAA03914 for <questions@freebsd.org>; Mon, 15 Dec 1997 10:34:01 -0600 (CST)
Received: from localhost (font@localhost) by Jupiter.Mcs.Net (8.8.7/8.8.2) with SMTP id KAA19925 for <questions@freebsd.org>; Mon, 15 Dec 1997 10:34:01 -0600 (CST)
Date: Mon, 15 Dec 1997 10:34:00 -0600 (CST)
From: Font <font@Mcs.Net>
To: questions@freebsd.org
Subject: natd and ipfw, how do they work together?
Message-ID: <Pine.BSF.3.95.971215102011.19342B-100000@Jupiter.Mcs.Net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

I am a typical user of natd, using a machine with two interfaces to
connect my private network with the Internet.  I am also using the ipfw
firewall software.  This is all under 2.2.5-RELEASE.

My question is, if I let a few machines on the private network access the
Internet (but not others), how do I make sure that the firewall still
functions when I am using natd?

For instance, let's say an internal nameserver at 192.168.1.1 is allowed
to get out to the Internet for DNS queries, using the firewall/gateway at 
192.168.1.2.  I would allow this with

	ipfw add divert natd udp from 192.168.1.1 to any 53 via fxp1

where fxp1 is my outside interface on the firewall running ipfw.  But when
I want the result to come back, I have to send the packet back through
natd again for translation.  Until it's translated, though, I don't know
what host it's for!  Therefore something like

	ipfw add divert natd udp from any to 192.168.1.1 53 via fxp1

won't work, because until natd translates fxp1's IP to 192.168.1.1, such a
rule has no meaning.  Hence my question.

When natd does its translation, is the translated packet resent as if it
came from the outside again, only with internal addresses properly
inserted?  Or after a packet goes through natd, does it just go to its
destination without delay?

If the latter is the case, then I really need two firewalls, one to
prevent unauthorized traffic from leaving the network, and one to perform
natd on and to prevent unauthorized traffic from entering the network.

This is a pretty new experience for me, as we just got our T1, so if I've
explained anything badly, please feel free to ask for more details.

Thanks,

dw

A bug in my MUA causes news.announce.newusers                            font
to be sent to beneficiaries and senders of UCE/SPAM.                        @
                                                                      mcs.net
Wishes are like dishes.