From owner-freebsd-security Tue Jul 10 22:36:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from koza.acecape.com (koza2.acecape.com [66.9.36.222]) by hub.freebsd.org (Postfix) with ESMTP id 414A337B405 for ; Tue, 10 Jul 2001 22:36:23 -0700 (PDT) (envelope-from lists@natserv.com) Received: from p65-147.acedsl.com (p65-147.acedsl.com [66.114.65.147]) by koza.acecape.com (8.10.1/8.9.3) with ESMTP id f6B5aEe17962; Wed, 11 Jul 2001 01:36:15 -0400 (EDT) Date: Wed, 11 Jul 2001 01:37:35 -0400 (EDT) From: Francisco Reyes X-X-Sender: To: "Jon O ." Cc: FreeBSD Security List Subject: Re: Fixed Cant ping/nslookup. Natd rule not on top In-Reply-To: <20010710193644.A9624@networkcommand.com> Message-ID: <20010711013121.L1479-100000@zoraida.natserv.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 10 Jul 2001, Jon O . wrote: > Francisco: > > The divert rule should be placed in your ruleset as needed and can't be defined as "always on top." > > For example, I connect to a Firewall-1/VPN-1 server using my FreeBSD gateway. In this case I don't want the divert rule applied to packets going to VPN machines because I want to come from the real inside network address, not a NAT'ed hide address. So, it can cause problems because you are allowing the packet through the firewall, but then don't notice what the divert rule is doing to it -- I've done it and I'm sure many other people have also. Once you figure it out, you'll always remember to look at the divert rule too. Any recommendations where I could read more on NAT? The natd man page is a good start, but I was thinking more along the lines of a tutorial or examples. Does NATD let the packets continue through IPFW after it changes the source address? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message