Date: Tue, 10 Jul 2001 23:05:15 -0700 From: "Jon O ." <jono@microshaft.org> To: Francisco Reyes <lists@natserv.com> Cc: "Jon O ." <jono@microshaft.org>, FreeBSD Security List <freebsd-security@FreeBSD.ORG> Subject: Re: Fixed Cant ping/nslookup. Natd rule not on top Message-ID: <20010710230515.B9747@networkcommand.com> In-Reply-To: <20010711013121.L1479-100000@zoraida.natserv.net>; from lists@natserv.com on Wed, Jul 11, 2001 at 01:37:35AM -0400 References: <20010710193644.A9624@networkcommand.com> <20010711013121.L1479-100000@zoraida.natserv.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11-Jul-2001, Francisco Reyes wrote: > On Tue, 10 Jul 2001, Jon O . wrote: > > Francisco: > > > > The divert rule should be placed in your ruleset as needed and can't be defined as "always on top." > > > Any recommendations where I could read more on NAT? > The natd man page is a good start, but I was thinking more along the > lines of a tutorial or examples. Not that I can think of off the top of my head. You can always do like I do and run it -v so you see every packet. Might not be feasible on a high traffic link. > > Does NATD let the packets continue through IPFW after it changes the > source address? You can do this type of thing with dummynet(4) packets, but I don't think the same applies to ipfw allow/deny rules. net.inet.ip.fw.one_pass: 1 When set, the packet exiting from the dummynet(4) pipe is not passed though the firewall again. Otherwise, after a pipe action, the packet is reinjected into the firewall at the next rule. However, this might really be the best way to do things. I use ACLs on Cisco routers quite a bit and also Firewall-1. Neither of these allow a packet to match a NAT rule and then a Firewall rule by dropping the packet back through the rules. With dummy net it's because you want to still firewall the rate-limited packets. Like I said, someone else might provide another suggestion that is more like you are suggesting, but for me I just want the packet to match once otherwise I'd get really confused (more than normal). Thanks, Jon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010710230515.B9747>