From owner-freebsd-net Mon Feb 3 22:32:38 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07D2B37B401 for ; Mon, 3 Feb 2003 22:32:37 -0800 (PST) Received: from pit.databus.com (p70-227.acedsl.com [66.114.70.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0066443FA3 for ; Mon, 3 Feb 2003 22:32:36 -0800 (PST) (envelope-from barney@pit.databus.com) Received: from pit.databus.com (localhost [127.0.0.1]) by pit.databus.com (8.12.6/8.12.6) with ESMTP id h146WLTi003223; Tue, 4 Feb 2003 01:32:21 -0500 (EST) (envelope-from barney@pit.databus.com) Received: (from barney@localhost) by pit.databus.com (8.12.6/8.12.6/Submit) id h146WLq6003222; Tue, 4 Feb 2003 01:32:21 -0500 (EST) (envelope-from barney) Date: Tue, 4 Feb 2003 01:32:21 -0500 From: Barney Wolff To: Mikhail Teterin Cc: net@FreeBSD.ORG Subject: Re: Does natd(8) really need to see _all_ packets? Message-ID: <20030204063221.GA3032@pit.databus.com> References: <200302040027.30781@aldan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200302040027.30781@aldan> User-Agent: Mutt/1.4i X-Scanned-By: MIMEDefang 2.28 (www . roaringpenguin . com / mimedefang) Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Feb 04, 2003 at 12:27:30AM -0500, Mikhail Teterin wrote: > > This question bothered me for a while -- most of the traffic on my LAN > is just that -- local. Yet my gw/firewall machine only has one interface > -- with two IP addresses -- private and public on it. > > The DSL modem is plugged into the switch just like everything else. > > I doubt this is a unique setup. > > ... > > # Stop spoofing > # How? You've pointed out for yourself the fatal problem with this setup. Get a cheap 10baseT card to talk to the dsl modem. Are you out of slots? If you insist on using only one nic, putting a "pass ip LN LN" right after the lo0/127 rules will minimize overhead for local traffic. If you need protection from the other hosts on your lan there are things running on your firewall that should not be there. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message