From owner-freebsd-net Sun Jan 13 23:25:53 2002 Delivered-To: freebsd-net@freebsd.org Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by hub.freebsd.org (Postfix) with ESMTP id 2BE2B37B400; Sun, 13 Jan 2002 23:25:46 -0800 (PST) Received: from dialup-209.244.106.114.dial1.sanjose1.level3.net ([209.244.106.114] helo=blossom.cjclark.org) by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #1) id 16Q1V2-0006C7-00; Sun, 13 Jan 2002 23:25:45 -0800 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.3) id g0E7PfT25339; Sun, 13 Jan 2002 23:25:41 -0800 (PST) (envelope-from cjc) Date: Sun, 13 Jan 2002 23:25:41 -0800 From: "Crist J . Clark" To: Andreas Klemm Cc: freebsd-net@FreeBSD.ORG Subject: Re: FIREWALL_FORWARD vs. using /sbin/natd ? Message-ID: <20020113232541.E24290@blossom.cjclark.org> References: <20020113105636.GA88221@titan.klemm.gtn.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020113105636.GA88221@titan.klemm.gtn.com>; from andreas@FreeBSD.ORG on Sun, Jan 13, 2002 at 11:56:36AM +0100 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jan 13, 2002 at 11:56:36AM +0100, Andreas Klemm wrote: > I found a document describing a firewall design only using natd > for redirects to internal network resources. (Hi Marshall, therefore > Cc: to you, since its yours and I have a question). > > http://www.rootprompt.net/freebsd_firewall.html > > Based on these informations I think I could get rid of natd entirely. Why do you say that? His example uses natd(8). > See my previous mail, my problem was, that I can't get it to run > for a typical 2 NIC configuration with internal network, DMZ and > a router in front of a 512k leased line. You didn't inlcude your firewall rules. > Or is this my NAT problem, that additionally I have to use the kernel > option FIREWALL_FORWARD, You don't need it. > to get NAT for internal users running, > 'though all other documents state out, that only IPFIREWALL and > IPDIVERT are needed ??? But it shouldn't cause problems. > Therefore the question, is using FIREWALL_FORWARD a good > replacement for /sbin/natd if you want to give users of > the internal network access to the outside world ? FIREWALL_FORWARD has nothing to do with NAT. > Are there some things to take care of, when using FIREWALL_FORWARD ? Yes, but nothing to do with NAT. > Does the logic for firewall rules change, or could I still use the > templates in /etc/rc.firewall ??? For what? -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message