Date: Fri, 11 Jul 1997 14:20:24 -0400 (EDT) From: Charles Owens <owensc@enc.edu> To: BRiGHTMN <brightmn@a-v25.rh.sunyit.edu> Cc: hackers list FreeBSD <freebsd-hackers@FreeBSD.ORG>, ari.suutari@ps.carel.fi Subject: Re: ipfw rules processing order when DIVERTing Message-ID: <Pine.FBS.3.93.970711141844.12074D-100000@dingo.its.enc.edu> In-Reply-To: <Pine.BSF.3.95q.970622133642.26178A-100000@server.local.sunyit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 22 Jun 1997, BRiGHTMN wrote: > it works like so: > first matched = action > > if you want anything firewalled out put it before it hits natd > > /sbin/ipfw -f flush > /sbin/ipfw add 100 deny ip from evil.place.org to any > /sbin/ipfw add 200 divert 6668 all from any to any via ed0 > /sbin/ipfw add 300 pass all from any to any > the numbers are the order that way if you decide to change anything you > can: > /sbin/ipfw delete 200 > to get rid of the natd... > > if you want you can take a look at my natd configuration files i'm going > to post them on my webpage: > > www.cs.sunyit.edu/~perlsta > > it should be up later tonight... Thanks... where on your marvey site might this be located? :-) BTW, yesterday afternoon when I checked I got snappy response from your web server. Today it seems to be crawling mighty slow. Thanks, Chuck > > > Hi all, > > > > I'm a bit unsure about the order in which ipfw rules get processed in > > relation to a DIVERT rule that calls natd(8). Note the last few sentences > > from this excerpt from the natd(8) man page: > > > > /sbin/ipfw -f flush > > /sbin/ipfw add divert 6668 all from any to any via ed0 > > /sbin/ipfw add pass all from any to any > > The second line depends on your interface and assumes that you've > > updated /etc/services as above. If you specify real firewall rules, > > ---> it's best to specify line 2 at the start of the script so that natd > > ---> sees all packets before they are dropped by the firewall. The fire- > > ---> wall rules will be run again on each packet after translation by > > ---> natd, minus any divert rules. > > > > If I take this as literally as I can, I interpret it as follows > > > > * Rules before divert rule processed > > * Divert rule ships all packets not dropped by above rules > > to natd for address translation > > * Packets return from natd and are then subjected to ALL rules, > > except this time divert rule is skipped > > > > This is somewhat counter-intuitive to me. If this how it works, what is > > the reason for this design, since, as I think about it, there must be a > > performance penalty to this approach (multiple passes of rules). I had > > expected it to work like this: > > > > * Rules before divert rule processed > > * Divert rule ships all packets not dropped by above rules > > to natd for address translation > > * Packets return from natd and remaining rules after divert rule > > are processed > > > > What is the real story? > > > > Thanks very much, > > --- > > ------------------------------------------------------------------------- > > Charles N. Owens Email: owensc@enc.edu > > http://www.enc.edu/~owensc > > Network & Systems Administrator > > Information Technology Services "Outside of a dog, a book is a man's > > Eastern Nazarene College best friend. Inside of a dog it's > > too dark to read." - Groucho Marx > > ------------------------------------------------------------------------- > > > > > > --- ------------------------------------------------------------------------- Charles N. Owens Email: owensc@enc.edu http://www.enc.edu/~owensc Network & Systems Administrator Information Technology Services "Outside of a dog, a book is a man's Eastern Nazarene College best friend. Inside of a dog it's too dark to read." - Groucho Marx -------------------------------------------------------------------------
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.FBS.3.93.970711141844.12074D-100000>