From owner-freebsd-net@FreeBSD.ORG  Sat Oct 21 22:14:10 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: net@freebsd.org
Delivered-To: freebsd-net@FreeBSD.ORG
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id D3EF916A40F;
	Sat, 21 Oct 2006 22:14:10 +0000 (UTC)
	(envelope-from fullermd@over-yonder.net)
Received: from optimus.centralmiss.com (ns.centralmiss.com [206.156.254.79])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5767743D4C;
	Sat, 21 Oct 2006 22:14:07 +0000 (GMT)
	(envelope-from fullermd@over-yonder.net)
Received: from draco.over-yonder.net
	(adsl-072-148-013-213.sip.jan.bellsouth.net [72.148.13.213])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by optimus.centralmiss.com (Postfix) with ESMTP id 1876B2842F;
	Sat, 21 Oct 2006 17:14:07 -0500 (CDT)
Received: by draco.over-yonder.net (Postfix, from userid 100)
	id 7EB4061C52; Sat, 21 Oct 2006 17:14:06 -0500 (CDT)
Date: Sat, 21 Oct 2006 17:14:06 -0500
From: "Matthew D. Fuller" <fullermd@over-yonder.net>
To: Brett Glass <brett@lariat.net>
Message-ID: <20061021221406.GP75501@over-yonder.net>
References: <200610210648.AAA01737@lariat.net>
	<20061021095808.GH75501@over-yonder.net>
	<200610212154.PAA11668@lariat.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200610212154.PAA11668@lariat.net>
X-Editor: vi
X-OS: FreeBSD <http://www.freebsd.org/>
User-Agent: Mutt/1.5.11-fullermd.3
Cc: piso@freebsd.org, net@freebsd.org
Subject: Re: Avoiding natd overhead
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Oct 2006 22:14:10 -0000

On Sat, Oct 21, 2006 at 03:54:06PM -0600 I heard the voice of
Brett Glass, and lo! it spake thus:
> 
> Also, more than once I've locked myself out of a machine when trying
> to restart NAT with a different configuration;

The trick I've adopted for this is to have allow rules for port 22
both directions BEFORE the divert rule for natd.  That way even if
it's down, I can still talk ssh.


-- 
Matthew Fuller     (MF4839)   |  fullermd@over-yonder.net
Systems/Network Administrator |  http://www.over-yonder.net/~fullermd/
           On the Internet, nobody can hear you scream.