Date: Wed, 2 Oct 2002 08:16:23 -0700 From: Luigi Rizzo <rizzo@icir.org> To: "Daniel C. Sobral" <dcs@tcoip.com.br> Cc: Georg Graf <georg-ipfw@graf.priv.at>, freebsd-ipfw@FreeBSD.ORG Subject: Re: Natd plus statefull connections impossible? Message-ID: <20021002081623.B23060@iguana.icir.org> In-Reply-To: <3D9B0B6F.5020304@tcoip.com.br>; from dcs@tcoip.com.br on Wed, Oct 02, 2002 at 12:06:23PM -0300 References: <20021002115143.GA54827@graf.priv.at> <3D9B0B6F.5020304@tcoip.com.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Oct 02, 2002 at 12:06:23PM -0300, Daniel C. Sobral wrote: ... > For a long time, I also thought it was not possible. But, while working > on another firewall, and trying to understand how NAT interacted with > firewall rules (they were separated), it came to me that all rules > applied to the real addresses, never their translation. Actually, the last statement is not true in general (it may be true with the specific rule organization that Daniel suggests below.) In general, the addresses that the firewall sees depends on whether the packet is checked before or after the packet is reinjected in the firewall after going through the natd daemon. cheers luigi > > Requirements: > > 1) If the packet is outgoing (ie, will be natted on it's way out), you > want the NAT to be the last thing done. > > 2) If the packet is incoming (ie, will be "un-natted" on it's way in), > you want the NAT to be the first thing done. ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021002081623.B23060>