Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 02 Oct 2002 13:49:59 -0300
From:      "Daniel C. Sobral" <dcs@tcoip.com.br>
To:        Luigi Rizzo <rizzo@icir.org>
Cc:        Georg Graf <georg-ipfw@graf.priv.at>, freebsd-ipfw@FreeBSD.ORG
Subject:   Re: Natd plus statefull connections impossible?
Message-ID:  <3D9B23B7.1000906@tcoip.com.br>
References:  <20021002115143.GA54827@graf.priv.at> <3D9B0B6F.5020304@tcoip.com.br> <20021002081623.B23060@iguana.icir.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Luigi Rizzo wrote:
> On Wed, Oct 02, 2002 at 12:06:23PM -0300, Daniel C. Sobral wrote:
> ...
> 
>>For a long time, I also thought it was not possible. But, while working 
>>on another firewall, and trying to understand how NAT interacted with 
>>firewall rules (they were separated), it came to me that all rules 
>>applied to the real addresses, never their translation.
> 
> 
> Actually, the last statement is not true in general (it
> may be true with the specific rule organization that Daniel
> suggests below.)
> In general, the addresses that the firewall sees depends on whether
> the packet is checked before or after the packet is reinjected in the
> firewall after going through the natd daemon.

Sorry if I didn't make it clear. I was trying to understand how ANOTHER 
kind of firewall worked, and in THAT firewall, nat was not done by 
firewall rules, but as a separate function in the packet routing. What I 
suggested here was how to simulate that behavior.

> 
> 	cheers
> 	luigi
> 
> 
>>Requirements:
>>
>>1) If the packet is outgoing (ie, will be natted on it's way out), you 
>>want the NAT to be the last thing done.
>>
>>2) If the packet is incoming (ie, will be "un-natted" on it's way in), 
>>you want the NAT to be the first thing done.
> 
> ...


-- 
Daniel C. Sobral                   (8-DCS)
Gerencia de Operacoes
Divisao de Comunicacao de Dados
Coordenacao de Seguranca
TCO
Fones: 55-61-313-7654/Cel: 55-61-9618-0904
E-mail: Daniel.Capo@tco.net.br
         Daniel.Sobral@tcoip.com.br
         dcs@tcoip.com.br

Outros:
	dcs@newsguy.com
	dcs@freebsd.org
	capo@notorious.bsdconspiracy.net

Progress is impossible without change, and those who
cannot change their minds cannot change anything.
		-- G.B. Shaw


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D9B23B7.1000906>