From owner-freebsd-net Tue Feb 4 6:53:33 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5514F37B401 for ; Tue, 4 Feb 2003 06:53:31 -0800 (PST) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5126443F43 for ; Tue, 4 Feb 2003 06:53:25 -0800 (PST) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (root@localhost) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Sunbay) with SMTP id h14ErDfQ023215 for ; Tue, 4 Feb 2003 16:53:13 +0200 (EET) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Sunbay) with ESMTP id h14ErCxQ023175 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 4 Feb 2003 16:53:12 +0200 (EET) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Submit) id h14EqqfB023009; Tue, 4 Feb 2003 16:52:52 +0200 (EET) Date: Tue, 4 Feb 2003 16:52:52 +0200 From: Ruslan Ermilov To: Emilian Ursu Cc: Mikhail Teterin , Barry Irwin , net@freebsd.org Subject: Re: Does natd(8) really need to see _all_ packets? Message-ID: <20030204145252.GC14893@sunbay.com> References: <200302040540.h145evwa062764@corbulon.video-collage.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="8NvZYKFJsRX2Djef" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8NvZYKFJsRX2Djef Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 04, 2003 at 08:00:46AM +0200, Emilian Ursu wrote: >=20 >=20 > On Tue, 4 Feb 2003, Mikhail Teterin wrote: >=20 > > > your best solution is to add a skipto before the divert rule. > > > > Thank you, Barry, but is not that what I'm doing in the sample? > > > > > You can therefore skip any traffic from a private address to another > > > private address. Anything not matched by the skipto rule gets fed to > > > the divert socket. > > > > The trick was to figure out, what could be skipped, and what could not. > > I'm wondering, if I got that right -- it seems to work find, but does it > > leave something open? Before I can recommend it to others, I'd like to > > be more sure :-) > > >=20 > see the example from man firewall >=20 This still isn't perfect. In a situation with a single NIC serving both internal and external traffic, I've found the following solution to be the superior: use a distinct IP address (it's not even has to be bound to a local interface) that allows you to skip not only local->remote traffic, but reply packets, i.e. it allows you to differentiate whether incoming (external) packet is for de-natting or not. As opposed to the firewall(7) example, I usually implement a block with two "divert natd" rules (for outgoing local and incoming external packets), and "skipto" this block when appropriate. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --8NvZYKFJsRX2Djef Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+P9PDUkv4P6juNwoRAt7NAJ90cb0qGGHJyzd/qDoAsq3L4+hLhQCghx3S SuVMl1HnF91p1VaJ4SWq81U= =6YKH -----END PGP SIGNATURE----- --8NvZYKFJsRX2Djef-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message