From owner-freebsd-security  Tue Jul 10 23: 5:22 2001
Delivered-To: freebsd-security@freebsd.org
Received: from stuart.microshaft.org (ns1.microshaft.org [208.201.249.2])
	by hub.freebsd.org (Postfix) with ESMTP id 0140037B403
	for <freebsd-security@FreeBSD.ORG>; Tue, 10 Jul 2001 23:05:20 -0700 (PDT)
	(envelope-from jono@stuart.microshaft.org)
Received: (from jono@localhost)
	by stuart.microshaft.org (8.9.3/8.9.3) id XAA10297;
	Tue, 10 Jul 2001 23:05:15 -0700 (PDT)
	(envelope-from jono)
Date: Tue, 10 Jul 2001 23:05:15 -0700
From: "Jon O ." <jono@microshaft.org>
To: Francisco Reyes <lists@natserv.com>
Cc: "Jon O ." <jono@microshaft.org>,
	FreeBSD Security List <freebsd-security@FreeBSD.ORG>
Subject: Re: Fixed Cant ping/nslookup. Natd rule not on top
Message-ID: <20010710230515.B9747@networkcommand.com>
Reply-To: "jono@networkcommand.com" <jono@microshaft.org>
References: <20010710193644.A9624@networkcommand.com> <20010711013121.L1479-100000@zoraida.natserv.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2i
In-Reply-To: <20010711013121.L1479-100000@zoraida.natserv.net>; from lists@natserv.com on Wed, Jul 11, 2001 at 01:37:35AM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On 11-Jul-2001, Francisco Reyes wrote:
> On Tue, 10 Jul 2001, Jon O . wrote:
> > Francisco:
> >
> > The divert rule should be placed in your ruleset as needed and can't be defined as "always on top."
> >
> Any recommendations where I could read more on NAT?
> The natd man page is a good start, but I was thinking more along the
> lines of a tutorial or examples.

Not that I can think of off the top of my head. You can always do like I do and run it -v so you see every packet. Might not be feasible on a high traffic link.


> 
> Does NATD let the packets continue through IPFW after it changes the
> source address?

You can do this type of thing with dummynet(4) packets, but I don't think the same applies to ipfw allow/deny rules.

  net.inet.ip.fw.one_pass: 1
             When set, the packet exiting from the dummynet(4) pipe is not
             passed though the firewall again.  Otherwise, after a pipe
             action, the packet is reinjected into the firewall at the next
             rule.

However, this might really be the best way to do things. I use ACLs on Cisco routers quite a bit and also Firewall-1. Neither of these allow a packet to match a NAT rule and then a Firewall rule by dropping the packet back through the rules. With dummy net it's because you want to still firewall the rate-limited packets. 

Like I said, someone else might provide another suggestion that is more like you are suggesting, but for me I just want the packet to match once otherwise I'd get really confused (more than normal). 


Thanks,
Jon 

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message