From owner-freebsd-ipfw  Fri Feb 15  9:39:45 2002
Delivered-To: freebsd-ipfw@freebsd.org
Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18])
	by hub.freebsd.org (Postfix) with SMTP id F1C0237B402
	for <freebsd-ipfw@FreeBSD.ORG>; Fri, 15 Feb 2002 09:39:37 -0800 (PST)
Received: (qmail 4032 invoked from network); 15 Feb 2002 17:39:37 -0000
Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241)
  by 0 with SMTP; 15 Feb 2002 17:39:37 -0000
Message-ID: <3C6D47D9.10003@tenebras.com>
Date: Fri, 15 Feb 2002 09:39:37 -0800
From: Michael Sierchio <kudzu@tenebras.com>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.7) Gecko/20020131
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Earl A. Killian" <earl@killian.com>
Cc: Chris Dillon <cdillon@wolves.k12.mo.us>,
	"Rogier R. Mulhuijzen" <drwilco@drwilco.net>,
	Luigi Rizzo <rizzo@icir.org>, freebsd-ipfw@FreeBSD.ORG,
	freebsd-net@FreeBSD.ORG
Subject: Re: Bug in stateful code?
References: <5.1.0.14.0.20020214221354.01c37da0@mail.drwilco.net>	<Pine.BSF.4.32.0202151003240.92211-100000@mail.wolves.k12.mo.us> <15469.17124.999950.13271@sax.killian.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

Earl A. Killian wrote:

> Chris Dillon writes:
>  > Date: Fri, 15 Feb 2002 10:20:39 -0600 (CST)
>  > From: Chris Dillon <cdillon@wolves.k12.mo.us>
>  > 
>  > If you have the luxury of having more than one IP address available
>  > for the outside interface, you can dedicate one address to natd's use,
>  > and the other to the host machine.  Use -deny_incoming on natd, and
>  > use whatever rules you want, including stateful, on the non-NAT
>  > address.  This is what I've done and it works fine.
> 
> This sounds promising, but I am confused by the man page on
> -deny_incoming.  Perhaps you could clarify?  It says, "Do not pass
> incoming packets that have no entry in the internal translation
> table."  Which internal translation table do they mean?  If this is
> the translation table set up when an internal host packet is forwarded
> to the internet, I don't see how a connection ever gets established.
> Does "internal translation table" mean something else?


It's a 'natd' option, which says not to pass incoming packets (from
the nat'd interface, presumably the external interface) which
aren't part of established "connections"  -- the internal translation
table is internal to natd.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message