From owner-freebsd-ipfw  Fri Feb 15  9:18:44 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from gate.killian.com (gate.killian.com [205.179.65.162])
	by hub.freebsd.org (Postfix) with ESMTP
	id 5ABB237B400; Fri, 15 Feb 2002 09:18:40 -0800 (PST)
Received: (from smtp@localhost)
	by gate.killian.com (8.11.6/8.11.6) id g1FHIbJ37362;
	Fri, 15 Feb 2002 09:18:37 -0800 (PST)
	(envelope-from earl@killian.com)
Received: from sax.killian.com(199.165.155.18)
 via SMTP by gate.killian.com, id smtpdXTvTxk; Fri Feb 15 09:18:29 2002
From: "Earl A. Killian" <earl@killian.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15469.17124.999950.13271@sax.killian.com>
Date: Fri, 15 Feb 2002 09:18:28 -0800
To: Chris Dillon <cdillon@wolves.k12.mo.us>
Cc: "Rogier R. Mulhuijzen" <drwilco@drwilco.net>,
	Michael Sierchio <kudzu@tenebras.com>, Luigi Rizzo <rizzo@icir.org>,
	<freebsd-ipfw@FreeBSD.ORG>, <freebsd-net@FreeBSD.ORG>
Subject: Re: Bug in stateful code?
In-Reply-To: <Pine.BSF.4.32.0202151003240.92211-100000@mail.wolves.k12.mo.us>
References: <5.1.0.14.0.20020214221354.01c37da0@mail.drwilco.net>
	<Pine.BSF.4.32.0202151003240.92211-100000@mail.wolves.k12.mo.us>
X-Mailer: VM 7.00 under 21.4 (patch 5) "Civil Service" XEmacs Lucid
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

Chris Dillon writes:
 > Date: Fri, 15 Feb 2002 10:20:39 -0600 (CST)
 > From: Chris Dillon <cdillon@wolves.k12.mo.us>
 > 
 > If you have the luxury of having more than one IP address available
 > for the outside interface, you can dedicate one address to natd's use,
 > and the other to the host machine.  Use -deny_incoming on natd, and
 > use whatever rules you want, including stateful, on the non-NAT
 > address.  This is what I've done and it works fine.

This sounds promising, but I am confused by the man page on
-deny_incoming.  Perhaps you could clarify?  It says, "Do not pass
incoming packets that have no entry in the internal translation
table."  Which internal translation table do they mean?  If this is
the translation table set up when an internal host packet is forwarded
to the internet, I don't see how a connection ever gets established.
Does "internal translation table" mean something else?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message