From owner-freebsd-questions  Tue Aug 11 16:05:33 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA23504
          for freebsd-questions-outgoing; Tue, 11 Aug 1998 16:05:33 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA23499
          for <freebsd-questions@FreeBSD.ORG>; Tue, 11 Aug 1998 16:05:31 -0700 (PDT)
          (envelope-from julian@whistle.com)
Received: (from daemon@localhost)
	by alpo.whistle.com (8.8.5/8.8.5) id QAA23856;
	Tue, 11 Aug 1998 16:02:43 -0700 (PDT)
Received: from current1.whistle.com(207.76.205.22)
 via SMTP by alpo.whistle.com, id smtpdL23838; Tue Aug 11 23:02:33 1998
Date: Tue, 11 Aug 1998 16:02:15 -0700 (PDT)
From: Julian Elischer <julian@whistle.com>
To: Dan Langille <junkmale@xtra.co.nz>
cc: FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
Subject: Re: ipfw and natd
In-Reply-To: <199808112247.KAA07516@cyclops.xtra.co.nz>
Message-ID: <Pine.BSF.3.95.980811155955.29188C-100000@current1.whistle.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

the difference is what happens to packets after translation....


under 2.2.5 they are restarted after translation at teh beginning of the
filter again, but skipping the translation the second time through.

under 3.0 they re-enter the filter directly after the translation entry.
(where they left off)

if the translation entry is at the start, then the two cases are
equivalent.. :-)

(there is a kernel option in 2.2.7 to make it use the 3.0 semantics)

julian



On Wed, 12 Aug 1998, Dan Langille wrote:

> Thanks for the reply.
> 
> I take it that it does not make a difference under 2.2.5 or later?  If it 
> does, what difference?  What difference will it make under 3.0?
> 
> On 11 Aug 98, at 15:38, Julian Elischer wrote:
> 
> > it should be as early as possible..
> > this will make a difference to the way it works in 3.0
> > 
> > julian
> > 
> > 
> > On Tue, 11 Aug 1998, Dan Langille wrote:
> > 
> > > I'm using ifpw and natd.  In order for natd to work, the following rule
> > > must be present somewhere within the ipfw rules.
> > > 
> > > divert    natd ip   from any              to any           via ed0
> > > 
> > > (or whatever your external nic is if it's not ed0).
> > > 
> > > Where should that rule be placed in relationship to other rules?  At the
> > > top, at the bottom?
> > > 
> > > I used to have it as the last rule (before the deny all rule).  But an
> > > example I just found
> > > (http://www.metronet.com/~pgilley/freebsd/ipfw/ben2.html) has this rule
> > > at the top.
> > > 
> > > I'm confused.  I thought you'd want to disallow stuff before allowing
> > > the natd stuff.  Or am I mucked up?
> > > 
> > > --
> > > Dan Langille
> > > DVL Software Limited
> > > http://www.dvl-software.com/freebsd : my [mis]adventures
> > > 
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-questions" in the body of the message
> > > 
> > 
> 
> 
> 
> --
> Dan Langille
> DVL Software Limited
> http://www.dvl-software.com/freebsd : my [mis]adventures
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message