From owner-freebsd-security@FreeBSD.ORG  Thu May 22 22:42:30 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7320637B401
	for <freebsd-security@freebsd.org>;
	Thu, 22 May 2003 22:42:30 -0700 (PDT)
Received: from amk-drives.bg (ns.amk-drives.bg [62.73.77.208])
	by mx1.FreeBSD.org (Postfix) with SMTP id A121F43F75
	for <freebsd-security@freebsd.org>;
	Thu, 22 May 2003 22:42:23 -0700 (PDT)
	(envelope-from nikolay.kanchev@amk-drives.bg)
Received: (qmail 82065 invoked by uid 1005); 23 May 2003 05:48:48 -0000
Received: from unknown (HELO kanchev) (192.168.0.13)
  by 192.168.0.100 with SMTP; 23 May 2003 05:48:46 -0000
Message-ID: <001c01c320f6$e212ea80$0d00a8c0@amkdrives.bg>
From: "Nikolay Kanchev" <nikolay.kanchev@amk-drives.bg>
To: "Jer" <jeremy@multihaven.org>
References: <5.2.0.9.2.20030522181931.00baf808@computer.multihaven.org>
Date: Fri, 23 May 2003 08:45:18 +0200
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Virus-Scanned: by AMaViS perl-11
X-Mailman-Approved-At: Mon, 26 May 2003 13:40:42 -0700
cc: freebsd-security@freebsd.org
Subject: Re: NAT+IPFW
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 23 May 2003 05:42:30 -0000

Sent: Friday, May 23, 2003 12:22 AM
Subject: NAT+IPFW


> Dear all
>
> I need to do the following
>
> I have a fbsd router that runs nat and routes some public IP addresses
>
> I ned to use the ipfw rules to deny traffic from the public IP's AND the
> nat o do bandwidth limiting
>
> eg
> deny tcp from 192.168.200.1 to www.yahoo.com http out
> and
> deny tcp from 24.199.213.1 to www.yahoo.com http out
>
> my questions are where do I place the rules in relation to the divert
rules etc
>
Hi
after divert packets to NAT interface IPFW continue to check next rules
after divert rule, therefore You should place your rules  after divert rule.

Best regards
Nikolay Kanchev