From owner-freebsd-questions  Sat Dec  1 16:42:57 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from avocet.prod.itd.earthlink.net (avocet.mail.pas.earthlink.net [207.217.120.50])
	by hub.freebsd.org (Postfix) with ESMTP id 64FD237B417
	for <freebsd-questions@freebsd.org>; Sat,  1 Dec 2001 16:42:54 -0800 (PST)
Received: from dialup-209.245.132.68.dial1.sanjose1.level3.net ([209.245.132.68] helo=blossom.cjclark.org)
	by avocet.prod.itd.earthlink.net with esmtp (Exim 3.33 #1)
	id 16AKiP-00030R-00; Sat, 01 Dec 2001 16:42:45 -0800
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.3) id fB20g0N24554;
	Sat, 1 Dec 2001 16:42:00 -0800 (PST)
	(envelope-from cjc)
Date: Sat, 1 Dec 2001 16:41:55 -0800
From: "Crist J . Clark" <cristjc@earthlink.net>
To: Nick Rogness <nick@rogness.net>
Cc: Sheldon Hearn <sheldonh@starjuice.net>,
	freebsd-questions@FreeBSD.ORG
Subject: Re: Diagrams on natd?
Message-ID: <20011201164155.L13613@blossom.cjclark.org>
Reply-To: cjclark@alum.mit.edu
References: <20011201145441.H13613@blossom.cjclark.org> <Pine.BSF.4.21.0112011816310.48587-100000@cody.jharris.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0112011816310.48587-100000@cody.jharris.com>; from nick@rogness.net on Sat, Dec 01, 2001 at 06:23:21PM -0600
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sat, Dec 01, 2001 at 06:23:21PM -0600, Nick Rogness wrote:
> On Sat, 1 Dec 2001, Crist J . Clark wrote:
> 
> > On Wed, Nov 21, 2001 at 08:06:20PM +0200, Sheldon Hearn wrote:
> > > 
> > > 
> > > On Wed, 21 Nov 2001 11:17:26 CST, Nick Rogness wrote:
> > > 
> > > > 	I made an animated gif that steps through the nat process:
> > > > 
> > > > 	http://freebsd.rogness.net/redirect.cgi?basic/nat.html
> > > 
> > 
> 
> > As for the web page quoted above, it is a pretty good primer, but it
> > gives some bad advice in the last section. The example is how to block
> > incoming traffic on tcp/53. The example is bad for two reasons. First,
> > blocking tcp/53 breaks DNS. 
> 
> 	Only zone transfers.  Which is what the example was intended to
> 	do.

This is a common misconception. Blocking 53/tcp breaks queries too,
but you don't see the problems it creates too frequently.

> > Second, you are better off doing this
> > _before_ the divert(4) rule. You are better off _blocking_ packets
> > before the divert(4) rule whenever possible. That is,
> > 
> >   # ipfw add 40 deny tcp from any to 20.30.40.51 53 in via xl0
> 
> 	I agree, however,that is OK if you know what your public IP
> 	is.  In a natd-dynamic configuration.  This was written just prior
> 	to the release of the "me" flag in ipfw (I Believe).

OK,

  # ipfw add 40 deny tcp from any to any 53 in via xl0

Is fine too.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message