Date: Sat, 1 Dec 2001 23:57:18 -0600 (CST) From: Nick Rogness <nick@rogness.net> To: "Crist J . Clark" <cjc@FreeBSD.ORG> Cc: Sheldon Hearn <sheldonh@starjuice.net>, freebsd-questions@FreeBSD.ORG Subject: Re: Diagrams on natd? Message-ID: <Pine.BSF.4.21.0112012327450.48587-100000@cody.jharris.com> In-Reply-To: <20011201145441.H13613@blossom.cjclark.org>
index | next in thread | previous in thread | raw e-mail
On Sat, 1 Dec 2001, Crist J . Clark wrote: > On Wed, Nov 21, 2001 at 08:06:20PM +0200, Sheldon Hearn wrote: > > > > > > On Wed, 21 Nov 2001 11:17:26 CST, Nick Rogness wrote: > > > > > I made an animated gif that steps through the nat process: > > > > > > http://freebsd.rogness.net/redirect.cgi?basic/nat.html [SNIP] > As for the web page quoted above, it is a pretty good primer, but > it gives some bad advice in the last section. The example is how to > block incoming traffic on tcp/53. The example is bad for two > reasons. First, blocking tcp/53 breaks DNS. Second, you are better off > doing this _before_ the divert(4) rule. You are better off _blocking_ > packets before the divert(4) rule whenever possible. That is, > > # ipfw add 40 deny tcp from any to 20.30.40.51 53 in via xl0 After looking it over, I realized why I wrote it the way I did. The problem doesn't arise until you start allowing things before divert. Denying doesn't seem to be a problem. Consider the following ruleset: ipfw add 40 allow tcp from any to 20.30.40.51 53 in via xl0 ipfw add 45 deny ip from any to 20.30.40.51 in via xl0 ipfw add 50 divert natd ip from any to any via xl0 Rule #50 in this case will not be hit. Now you don't really need rule 40 or 45 in order for it to work. But if you wanted to block all other traffic from 20.30.40.51 (except tcp-53) before the divert rule you're going to run into trouble. This is why I recommended firewalling on the INSIDE address after nat is done. Especially on a -redirect_address'd host, as all traffic is going to go to the INSIDE address. Maybe a better solution would be (If you wanted to firewall on the public address): ipfw add 40 skipto 50 tcp from any to 20.30.40.51 53 in via xl0 ipfw add 45 deny tcp from any to 20.30.40.51 in via xl0 ipfw add 50 divert natd ip from any to any via xl0 I guess it probably doesn't matter one way or the other. It's still damn interesting to think about though. Nick Rogness <nick@rogness.net> - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the messagehelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0112012327450.48587-100000>