From owner-freebsd-questions  Mon Jun 25 12:21:49 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id AF76D37B40A
	for <questions@FreeBSD.ORG>; Mon, 25 Jun 2001 12:21:43 -0700 (PDT)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f5PKj9n44603;
	Mon, 25 Jun 2001 15:45:09 -0500 (CDT)
	(envelope-from nick@rogness.net)
Date: Mon, 25 Jun 2001 15:45:09 -0500 (CDT)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: Tim Erlin <tperlin@yahoo.com>
Cc: questions@FreeBSD.ORG
Subject: Re: ipfw  -- fwd, divert, natd -redirect_port?
In-Reply-To: <20010625183512.91569.qmail@web11706.mail.yahoo.com>
Message-ID: <Pine.BSF.4.21.0106251459010.42332-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Mon, 25 Jun 2001, Tim Erlin wrote:


> So is there a distinction between adding a divert statement to my ipfw
> config and adding a -redirect_port statement to my natd config file?

	Yeh, I did a poor job explaining that part.  natd is a userland
	daemon that runs seperate from ipfw.  The divert ipfw statement is
	used to send packets between the kernel (ipfw) and that natd
	daemon, which actually changes the src/dest and reinjects back
	into the kernel (ipfw).  Maybe this will help:

	1) Packet Processing processes firewall rules looking for match
	2) Divert rule matched
		2.1) Kernel sends packet to port specified in divert rule
		2.2) natd,listening on that port (8668), receives packet
		2.3) natd makes changes to src/dest
		2.4) natd sends packet back to kernel
	3) Packet processing continues AFTER the divert rule

	It's actually more complicated than that, but you should get the
	point that natd needs 'ipfw divert' to function properly.
	

Nick Rogness <nick@rogness.net>
 - Keep on Routing in a Free World...
  "FreeBSD: The Power to Serve!"



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message