From owner-freebsd-questions Tue Oct 20 01:27:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id BAA21772 for freebsd-questions-outgoing; Tue, 20 Oct 1998 01:27:13 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from mail.bucknell.edu (marge.bucknell.edu [134.82.7.249]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id BAA21760 for ; Tue, 20 Oct 1998 01:27:09 -0700 (PDT) (envelope-from prigge@bucknell.edu) Received: from prigge (prigge.resnet.bucknell.edu [134.82.115.40]) by mail.bucknell.edu (8.8.8/8.8.8) with SMTP id EAA26348; Tue, 20 Oct 1998 04:26:39 -0400 (EDT) Message-ID: <08f401bdfc03$55aacbc0$28735286@prigge.resnet.bucknell.edu> From: "Matt Prigge" To: , Subject: Re: More IPFW/natd trouble, but I'm close! Date: Tue, 20 Oct 1998 04:26:28 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.1 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Im really not sure what youre asking. Basically everything has to get filtered through natd before it can be run through the rest of the ipfw rules. some exceptions to this are the two loopback rules simply because they generally never involve either of youre other network interfaces (could be wrong here, but i dont think so). The basic rule is that you have natd before you have _any_ "add pass" or "add allow" rules. Hope that answered youre question!s - Matt -----Original Message----- From: Dan Langille To: Bryce Newall ; prigge@bucknell.edu Cc: FreeBSD Questions List Date: Tuesday, October 20, 1998 3:28 AM Subject: Re: More IPFW/natd trouble, but I'm close! > On Tue, 20 Oct 1998, Matt Prigge wrote: > > > line referencing natd is not early enough in rc.firewall. all of your > > packets from the internal network are being forwarded before natd gets > > to change their network numbers (and no sane internet router will pass > > unregistered ip addresess). try putting "ipfw add divert natd all from > > any to any via vx0" right before "ipfw add 65000 pass all from any to > > any". If I'm confused. Why does rc.firewall put such things at the start of the list if its not intended to be there? -- Dan Langille DVL Software Limited The FreeBSD Diary - my [mis]adventures http://www.FreeBSDDiary.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message