Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 5 Jan 1998 22:44:37 -0500
From:      Charles Henrich <henrich@crh.cl.msu.edu>
To:        freebsd-questions@crh.cl.msu.edu
Subject:   A day in the life of a packet (NATD) ?
Message-ID:  <19980105224436.05995@crh.cl.msu.edu>
Resent-Message-ID: <199801060344.WAA16207@crh.cl.msu.edu>

next in thread | raw e-mail | index | archive | help
Hi Guys, could someone out there who knows the FreeBSD internals write up a
quick "Day in the life of a packet" document for the NATD/IPFW case?  

Let me clearly display my ignorance by explaining what I think is going on as
a way of documenting what would be cool to have for inclusion into the FAQ's
on NATD/FreeBSD.

Network:

10.0.0.0/8 --- ([ED1] FreeBSD Box [ED0]) --- The Internet

IPFW Rules (Im creating these in the fly so they could be syntactically
incorrect, but I think the design is correct):

100 allow all from any to any via lo0
200 divert 6668 all from any to any via ed0
300 allow all from THISHOST to any
310 allow all from any to THISHOST
400 allow all from 10.1.0.0/16 to any
500 allow all from 10.0.0.0/8 to INETPROXY
510 allow all from INETPROXY to 10.0.0.0/8
6500 deny all from any to any

Netstat -r:
Destination        Gateway            Flags     Refs     Use     Netif Expire

default            MYINETIP           UGSc       31  6956351       ed0
10                 link#2             UC          0        0 
10.0.0.1           0:0:c0:e1:d0:5c    UHLW        0      196       lo0
10.255.255.255     ff:ff:ff:ff:ff:ff  UHLWb       0      107       ed1
localhost          localhost          UH         11     7600       lo0

A user on host 10.0.0.2 issues a ping for INETPROXY.  The ping packet is
picked up by interface ed1.  The packet is processed by (IPFW first?) which
tools on through the list ipfw rules.  This packet is matched by rule 500, and
is then passed onto the (FreeBSD network core?) which decides the packet needs
to be routed through interface ed0 as the default gateway.  The packet is
again processed by the IPFW rules as it passes into ed0, this time rule 200
matches the packet.. NATD see's this is a packet destined for the internet
(HOW does it know??) and replaces 10.0.0.2 with MYINETIP.  Then the packet is
readback into the firewall code..  The packet then matches ruleset 300 and is
passed back to the FreeBSD network code, which sends it out ed0.

The ping reply is then processed inbound on ed0 by the ipfw rules.. Rule 200
again matches and the packet is sent to Natd which replaces the destination IP
with 10.0.0.2, and sends it back to the firewall code, which allows it to pass
on rule 510.. Then back to the FreeBSD network code, which determines the
packet needs to be sent out interface ed1... Back into the firewall rules,
again the packet is passed through based on rule 510.  Back into FreeBSD's
network code which burps the packet out ed1...

So, how much of this is correct, and how much is fantasy made to fit my
perception of reality? :) 

-Crh

       Charles Henrich     Michigan State University     henrich@msu.edu

                         http://pilot.msu.edu/~henrich



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980105224436.05995>