From owner-freebsd-questions Tue Oct 20 02:35:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id CAA26058 for freebsd-questions-outgoing; Tue, 20 Oct 1998 02:35:23 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from witch.xtra.co.nz (witch.xtra.co.nz [202.27.184.8]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA26052 for ; Tue, 20 Oct 1998 02:35:18 -0700 (PDT) (envelope-from junkmale@pop3.xtra.co.nz) Received: from wocker (210-55-210-87.ipnets.xtra.co.nz [210.55.210.87]) by witch.xtra.co.nz (8.9.1/8.9.1) with SMTP id WAA15675; Tue, 20 Oct 1998 22:34:01 +1300 (NZDT) Message-Id: <199810200934.WAA15675@witch.xtra.co.nz> From: "Dan Langille" Organization: DVL Software Limited To: "Matt Prigge" Date: Tue, 20 Oct 1998 22:34:15 +1300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: More IPFW/natd trouble, but I'm close! Reply-to: junkmale@xtra.co.nz CC: FreeBSD Questions List In-reply-to: <08f401bdfc03$55aacbc0$28735286@prigge.resnet.bucknell.edu> X-mailer: Pegasus Mail for Win32 (v3.01b) Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG If I read this correctly, we have two conflicting views. One says do the divert early. The other says do the divert late. I think we need more view. I'm going to start a new topic because it's quite distinct. On 20 Oct 98, at 4:26, Matt Prigge wrote: > Im really not sure what youre asking. Basically everything has to get > filtered through natd before it can be run through the rest of the ipfw > rules. some exceptions to this are the two loopback rules simply because > they generally never involve either of youre other network interfaces > (could be wrong here, but i dont think so). The basic rule is that you > have natd before you have _any_ "add pass" or "add allow" rules. Hope > that answered youre question!s > > - Matt > > -----Original Message----- > From: Dan Langille > To: Bryce Newall ; prigge@bucknell.edu > > Cc: FreeBSD Questions List > Date: Tuesday, October 20, 1998 3:28 AM > Subject: Re: More IPFW/natd trouble, but I'm close! > > > > On Tue, 20 Oct 1998, Matt Prigge wrote: > > > > > line referencing natd is not early enough in rc.firewall. all of your > > > packets from the internal network are being forwarded before natd gets > > > to change their network numbers (and no sane internet router will pass > > > unregistered ip addresess). try putting "ipfw add divert natd all from > > > any to any via vx0" right before "ipfw add 65000 pass all from any to > > > any". If > > I'm confused. Why does rc.firewall put such things at the start of the > list if its not intended to be there? -- Dan Langille DVL Software Limited The FreeBSD Diary - my [mis]adventures http://www.FreeBSDDiary.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message