From owner-freebsd-ipfw Wed Oct 2 8:16:26 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B095137B404 for ; Wed, 2 Oct 2002 08:16:24 -0700 (PDT) Received: from iguana.icir.org (iguana.icir.org [192.150.187.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2718A43E6A for ; Wed, 2 Oct 2002 08:16:24 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: from iguana.icir.org (localhost [127.0.0.1]) by iguana.icir.org (8.12.3/8.11.3) with ESMTP id g92FGNIb023265; Wed, 2 Oct 2002 08:16:23 -0700 (PDT) (envelope-from rizzo@iguana.icir.org) Received: (from rizzo@localhost) by iguana.icir.org (8.12.3/8.12.3/Submit) id g92FGNY8023264; Wed, 2 Oct 2002 08:16:23 -0700 (PDT) (envelope-from rizzo) Date: Wed, 2 Oct 2002 08:16:23 -0700 From: Luigi Rizzo To: "Daniel C. Sobral" Cc: Georg Graf , freebsd-ipfw@FreeBSD.ORG Subject: Re: Natd plus statefull connections impossible? Message-ID: <20021002081623.B23060@iguana.icir.org> References: <20021002115143.GA54827@graf.priv.at> <3D9B0B6F.5020304@tcoip.com.br> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3D9B0B6F.5020304@tcoip.com.br>; from dcs@tcoip.com.br on Wed, Oct 02, 2002 at 12:06:23PM -0300 Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, Oct 02, 2002 at 12:06:23PM -0300, Daniel C. Sobral wrote: ... > For a long time, I also thought it was not possible. But, while working > on another firewall, and trying to understand how NAT interacted with > firewall rules (they were separated), it came to me that all rules > applied to the real addresses, never their translation. Actually, the last statement is not true in general (it may be true with the specific rule organization that Daniel suggests below.) In general, the addresses that the firewall sees depends on whether the packet is checked before or after the packet is reinjected in the firewall after going through the natd daemon. cheers luigi > > Requirements: > > 1) If the packet is outgoing (ie, will be natted on it's way out), you > want the NAT to be the last thing done. > > 2) If the packet is incoming (ie, will be "un-natted" on it's way in), > you want the NAT to be the first thing done. ... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message