From owner-freebsd-questions  Sat Dec  1 16:54:53 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id E651937B417
	for <freebsd-questions@FreeBSD.ORG>; Sat,  1 Dec 2001 16:54:46 -0800 (PST)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id fB20sbr48955;
	Sat, 1 Dec 2001 18:54:37 -0600 (CST)
	(envelope-from nick@rogness.net)
Date: Sat, 1 Dec 2001 18:54:37 -0600 (CST)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: cjclark@alum.mit.edu
Cc: Sheldon Hearn <sheldonh@starjuice.net>,
	freebsd-questions@FreeBSD.ORG
Subject: Re: Diagrams on natd?
In-Reply-To: <20011201164155.L13613@blossom.cjclark.org>
Message-ID: <Pine.BSF.4.21.0112011847420.48587-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Sat, 1 Dec 2001, Crist J . Clark wrote:

> On Sat, Dec 01, 2001 at 06:23:21PM -0600, Nick Rogness wrote:
> > On Sat, 1 Dec 2001, Crist J . Clark wrote:
> > 

[SNIP]
> This is a common misconception. Blocking 53/tcp breaks queries too,
> but you don't see the problems it creates too frequently.

	Someone once mentioned that to me but I have never seen this
	behavior or read it anywhere (Oreilly,rev3).  Maybe you could
	explain.

> 
> > > Second, you are better off doing this
> > > _before_ the divert(4) rule. You are better off _blocking_ packets
> > > before the divert(4) rule whenever possible. That is,
> > > 
> > >   # ipfw add 40 deny tcp from any to 20.30.40.51 53 in via xl0
> > 
> > 	I agree, however,that is OK if you know what your public IP
> > 	is.  In a natd-dynamic configuration.  This was written just prior
> > 	to the release of the "me" flag in ipfw (I Believe).
> 
> OK,
> 
>   # ipfw add 40 deny tcp from any to any 53 in via xl0
> 
> Is fine too.
> -- 

	Yeh, It's been such a while, I'll have to make changes.  What's on
	that site is not exactly the way things should be done anymore.


Nick Rogness <nick@rogness.net>
 - Keep on Routing in a Free World...
  "FreeBSD: The Power to Serve!"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message