From owner-freebsd-questions Mon Sep 9 16:28:22 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5474137B400 for ; Mon, 9 Sep 2002 16:28:19 -0700 (PDT) Received: from mta04bw.bigpond.com (mta04bw.bigpond.com [139.134.6.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3CBFC43E42 for ; Mon, 9 Sep 2002 16:28:18 -0700 (PDT) (envelope-from leighv@roq.com) Received: from michael ([144.135.24.87]) by mta04bw.bigpond.com (Netscape Messaging Server 4.15 mta04bw May 23 2002 23:53:28) with SMTP id H272J400.BVK; Tue, 10 Sep 2002 09:28:16 +1000 Received: from CPE-144-132-88-24.vic.bigpond.net.au ([144.132.88.24]) by bwmam07.mailsvc.email.bigpond.com(MailRouter V3.0n 62/18784870); 10 Sep 2002 09:28:15 Message-ID: <003401c25858$9c91ea90$2d01a8c0@michael> From: "Leigh V" To: "Paulo Roberto" , References: <20020908163958.35715.qmail@web14912.mail.yahoo.com> Subject: Re: simple questions about ipfw + natd rules Date: Tue, 10 Sep 2002 09:28:32 +1000 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG If you are having probs using natd and ipfw, you can alternatively try my IPfilter/IPnat setup script for FreeBSD , All you have to do is answer the 2 main questions what is your internal and external nic interfaces and just hit enter for the rest of the questions for a basic firewall/nat setup. http://roq.com/bsd/ ----- Original Message ----- From: "Paulo Roberto" To: Sent: Monday, September 09, 2002 2:39 AM Subject: simple questions about ipfw + natd rules > Hello, > > I am having some trouble trying to picture the ipfw+natd algorithm to > implement my firewall rules. > > When I divert some packets to natd, natd then masqs them and resend > them to the firewall rule number one, right? It does not get to the > rule after the packet was diverted? > > So, in the same example, if I add a dynamic rule like "from me to any > keep-state", this rule will apply to this packet after it was masqed, > and when the response gets back it is accepted by a "check-state" rule, > and then the "process owner" of this packet is *natd* and not the > original address, right? > > So the same packet is delivered to natd, and then natd de-masqs it and > _again_ put it thru the firewall rule number one (and so on...)? > > So, in one packet going out or in, it gets processed *two* times by all > firewall rules (of course, first match wins...), is this correct? > > I am just concerned about the processing time of each packet and its > delay time in a busy link. > > TIA > > PR > > __________________________________________________ > Do You Yahoo!? > Yahoo! Finance - Get real-time stock quotes > http://finance.yahoo.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message