From owner-freebsd-ipfw Wed Oct 2 9:51:19 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47C9937B401 for ; Wed, 2 Oct 2002 09:51:17 -0700 (PDT) Received: from mail.tcoip.com.br (erato.tco.net.br [200.220.254.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 029EC43E77 for ; Wed, 2 Oct 2002 09:51:15 -0700 (PDT) (envelope-from dcs@tcoip.com.br) Received: from tcoip.com.br ([10.0.2.6]) by mail.tcoip.com.br (8.11.6/8.11.6) with ESMTP id g92Go0x21682; Wed, 2 Oct 2002 13:50:00 -0300 Message-ID: <3D9B23B7.1000906@tcoip.com.br> Date: Wed, 02 Oct 2002 13:49:59 -0300 From: "Daniel C. Sobral" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20020905 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Luigi Rizzo Cc: Georg Graf , freebsd-ipfw@FreeBSD.ORG Subject: Re: Natd plus statefull connections impossible? References: <20021002115143.GA54827@graf.priv.at> <3D9B0B6F.5020304@tcoip.com.br> <20021002081623.B23060@iguana.icir.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Luigi Rizzo wrote: > On Wed, Oct 02, 2002 at 12:06:23PM -0300, Daniel C. Sobral wrote: > ... > >>For a long time, I also thought it was not possible. But, while working >>on another firewall, and trying to understand how NAT interacted with >>firewall rules (they were separated), it came to me that all rules >>applied to the real addresses, never their translation. > > > Actually, the last statement is not true in general (it > may be true with the specific rule organization that Daniel > suggests below.) > In general, the addresses that the firewall sees depends on whether > the packet is checked before or after the packet is reinjected in the > firewall after going through the natd daemon. Sorry if I didn't make it clear. I was trying to understand how ANOTHER kind of firewall worked, and in THAT firewall, nat was not done by firewall rules, but as a separate function in the packet routing. What I suggested here was how to simulate that behavior. > > cheers > luigi > > >>Requirements: >> >>1) If the packet is outgoing (ie, will be natted on it's way out), you >>want the NAT to be the last thing done. >> >>2) If the packet is incoming (ie, will be "un-natted" on it's way in), >>you want the NAT to be the first thing done. > > ... -- Daniel C. Sobral (8-DCS) Gerencia de Operacoes Divisao de Comunicacao de Dados Coordenacao de Seguranca TCO Fones: 55-61-313-7654/Cel: 55-61-9618-0904 E-mail: Daniel.Capo@tco.net.br Daniel.Sobral@tcoip.com.br dcs@tcoip.com.br Outros: dcs@newsguy.com dcs@freebsd.org capo@notorious.bsdconspiracy.net Progress is impossible without change, and those who cannot change their minds cannot change anything. -- G.B. Shaw To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message