From owner-freebsd-security Tue Jul 10 23: 5:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from stuart.microshaft.org (ns1.microshaft.org [208.201.249.2]) by hub.freebsd.org (Postfix) with ESMTP id 0140037B403 for ; Tue, 10 Jul 2001 23:05:20 -0700 (PDT) (envelope-from jono@stuart.microshaft.org) Received: (from jono@localhost) by stuart.microshaft.org (8.9.3/8.9.3) id XAA10297; Tue, 10 Jul 2001 23:05:15 -0700 (PDT) (envelope-from jono) Date: Tue, 10 Jul 2001 23:05:15 -0700 From: "Jon O ." To: Francisco Reyes Cc: "Jon O ." , FreeBSD Security List Subject: Re: Fixed Cant ping/nslookup. Natd rule not on top Message-ID: <20010710230515.B9747@networkcommand.com> Reply-To: "jono@networkcommand.com" References: <20010710193644.A9624@networkcommand.com> <20010711013121.L1479-100000@zoraida.natserv.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20010711013121.L1479-100000@zoraida.natserv.net>; from lists@natserv.com on Wed, Jul 11, 2001 at 01:37:35AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 11-Jul-2001, Francisco Reyes wrote: > On Tue, 10 Jul 2001, Jon O . wrote: > > Francisco: > > > > The divert rule should be placed in your ruleset as needed and can't be defined as "always on top." > > > Any recommendations where I could read more on NAT? > The natd man page is a good start, but I was thinking more along the > lines of a tutorial or examples. Not that I can think of off the top of my head. You can always do like I do and run it -v so you see every packet. Might not be feasible on a high traffic link. > > Does NATD let the packets continue through IPFW after it changes the > source address? You can do this type of thing with dummynet(4) packets, but I don't think the same applies to ipfw allow/deny rules. net.inet.ip.fw.one_pass: 1 When set, the packet exiting from the dummynet(4) pipe is not passed though the firewall again. Otherwise, after a pipe action, the packet is reinjected into the firewall at the next rule. However, this might really be the best way to do things. I use ACLs on Cisco routers quite a bit and also Firewall-1. Neither of these allow a packet to match a NAT rule and then a Firewall rule by dropping the packet back through the rules. With dummy net it's because you want to still firewall the rate-limited packets. Like I said, someone else might provide another suggestion that is more like you are suggesting, but for me I just want the packet to match once otherwise I'd get really confused (more than normal). Thanks, Jon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message