From owner-freebsd-questions Sat Dec 1 14:55: 5 2001 Delivered-To: freebsd-questions@freebsd.org Received: from swan.prod.itd.earthlink.net (swan.mail.pas.earthlink.net [207.217.120.123]) by hub.freebsd.org (Postfix) with ESMTP id 5C1A437B419 for ; Sat, 1 Dec 2001 14:54:58 -0800 (PST) Received: from dialup-209.245.132.68.dial1.sanjose1.level3.net ([209.245.132.68] helo=blossom.cjclark.org) by swan.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16AJ24-0001Jx-00; Sat, 01 Dec 2001 14:54:52 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id fB1Msj724219; Sat, 1 Dec 2001 14:54:45 -0800 (PST) (envelope-from cjc) Date: Sat, 1 Dec 2001 14:54:41 -0800 From: "Crist J . Clark" To: Sheldon Hearn Cc: Nick Rogness , freebsd-questions@FreeBSD.ORG Subject: Re: Diagrams on natd? Message-ID: <20011201145441.H13613@blossom.cjclark.org> References: <906.1006365980@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <906.1006365980@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Wed, Nov 21, 2001 at 08:06:20PM +0200 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Nov 21, 2001 at 08:06:20PM +0200, Sheldon Hearn wrote: > > > On Wed, 21 Nov 2001 11:17:26 CST, Nick Rogness wrote: > > > I made an animated gif that steps through the nat process: > > > > http://freebsd.rogness.net/redirect.cgi?basic/nat.html > > Nice idea! > > Thing is, I'm trying to get a better understanding of how natd interacts > with IPFW. There's a LOT more going on than what's shown in your > diagram. The interaction between natd(8) and ipfw(8) is actually very simple. You can think of it this way, 1. ipfw(8) sends a packet that matches a divert(4) rule to natd(8). 2. natd(8) does "something" with the packet. 3. natd(8) writes the packet back to the firewall through the divert(4) mechanism. 4. The packet, which may have been modified in step 2, continues through the ipfw(8) rules. All very straight forward. Of course, that step 2 is a doosie. But step 2 all happens within natd(8) and really has nothing to do with ipfw(8). As for the web page quoted above, it is a pretty good primer, but it gives some bad advice in the last section. The example is how to block incoming traffic on tcp/53. The example is bad for two reasons. First, blocking tcp/53 breaks DNS. Second, you are better off doing this _before_ the divert(4) rule. You are better off _blocking_ packets before the divert(4) rule whenever possible. That is, # ipfw add 40 deny tcp from any to 20.30.40.51 53 in via xl0 Would be the best way to go. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message