From owner-freebsd-net Tue Feb 4 7:33:20 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0739837B401 for ; Tue, 4 Feb 2003 07:33:20 -0800 (PST) Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by mx1.FreeBSD.org (Postfix) with SMTP id 7A22C43F75 for ; Tue, 4 Feb 2003 07:33:19 -0800 (PST) (envelope-from kudzu@tenebras.com) Received: (qmail 25252 invoked from network); 4 Feb 2003 15:33:18 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by 0 with SMTP; 4 Feb 2003 15:33:18 -0000 Message-ID: <3E3FDD3E.70609@tenebras.com> Date: Tue, 04 Feb 2003 07:33:18 -0800 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3a) Gecko/20021212 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mikhail Teterin Cc: net@FreeBSD.org Subject: Re: Does natd(8) really need to see _all_ packets? References: <200302040027.30781@aldan> In-Reply-To: <200302040027.30781@aldan> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mikhail Teterin wrote: > Does natd(8) really need to see _all_ packets? Not at all, as you've guessed. Subtleties abound with stateful rules, and side effects of using the divert mechanism, such as: after returning from natd packets don't know which interface they came in on. Matching rules therefore becomes tricky. I manage to do without skipto rules, your kilometrage may vary. Traffic that is destined to the host itself from the outside may be handled via rules that match before reaching the divert rule(s). Likewise, traffic that is between hosts on the local nets may be matched before nat'ing. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message