From owner-freebsd-hackers Thu Jul 10 09:18:43 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA09571 for hackers-outgoing; Thu, 10 Jul 1997 09:18:43 -0700 (PDT) Received: from itsdsv1.enc.edu (itsdsv1.enc.edu [207.95.42.241]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA09562 for ; Thu, 10 Jul 1997 09:18:39 -0700 (PDT) Received: from dingo.its.enc.edu (dingo.its.enc.edu [207.95.222.250]) by itsdsv1.enc.edu (8.7.5/8.7.3) with SMTP id MAA08783; Thu, 10 Jul 1997 12:15:05 -0400 (EDT) Date: Thu, 10 Jul 1997 12:27:22 -0400 (EDT) From: Charles Owens X-Sender: owensc@dingo.its.enc.edu To: hackers list FreeBSD cc: ari.suutari@ps.carel.fi Subject: ipfw rules processing order when DIVERTing Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Hi all, I'm a bit unsure about the order in which ipfw rules get processed in relation to a DIVERT rule that calls natd(8). Note the last few sentences from this excerpt from the natd(8) man page: /sbin/ipfw -f flush /sbin/ipfw add divert 6668 all from any to any via ed0 /sbin/ipfw add pass all from any to any The second line depends on your interface and assumes that you've updated /etc/services as above. If you specify real firewall rules, ---> it's best to specify line 2 at the start of the script so that natd ---> sees all packets before they are dropped by the firewall. The fire- ---> wall rules will be run again on each packet after translation by ---> natd, minus any divert rules. If I take this as literally as I can, I interpret it as follows * Rules before divert rule processed * Divert rule ships all packets not dropped by above rules to natd for address translation * Packets return from natd and are then subjected to ALL rules, except this time divert rule is skipped This is somewhat counter-intuitive to me. If this how it works, what is the reason for this design, since, as I think about it, there must be a performance penalty to this approach (multiple passes of rules). I had expected it to work like this: * Rules before divert rule processed * Divert rule ships all packets not dropped by above rules to natd for address translation * Packets return from natd and remaining rules after divert rule are processed What is the real story? Thanks very much, --- ------------------------------------------------------------------------- Charles N. Owens Email: owensc@enc.edu http://www.enc.edu/~owensc Network & Systems Administrator Information Technology Services "Outside of a dog, a book is a man's Eastern Nazarene College best friend. Inside of a dog it's too dark to read." - Groucho Marx -------------------------------------------------------------------------