From owner-freebsd-questions  Tue Dec  4  0:17: 3 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201])
	by hub.freebsd.org (Postfix) with ESMTP id 1FBDD37B405
	for <freebsd-questions@freebsd.org>; Tue,  4 Dec 2001 00:17:00 -0800 (PST)
Received: from sheldonh (helo=axl.seasidesoftware.co.za)
	by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1)
	id 16BAmi-0003Ua-00
	for freebsd-questions@FreeBSD.org; Tue, 04 Dec 2001 10:18:36 +0200
From: Sheldon Hearn <sheldonh@starjuice.net>
To: freebsd-questions@FreeBSD.org
Subject: ipnat & ipfirewall ordering
Date: Tue, 04 Dec 2001 10:18:36 +0200
Message-ID: <13427.1007453916@axl.seasidesoftware.co.za>
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


Hi folks,

I'm migrating a firewall from natd to ipnat.

I would like to continue using ipfirewall for packet filtering at this
stage.  Baby steps.

It looks to me like the order in which things happen is:

ipfilter		(Allow all)
ipnat			(1:1 bimaps)
ipfirewall		(Actual packet filtering)

This means that I need to change all my ipfirewall rules to use the nat'd
(private) addresses of protected hosts, rather than the real (public)
addresses as I did things before.

Am I correct about the order in which things are happening?  Do I really
need to change all my ipfirewall rules, or is there a trick to having
ipfirewall processing done _before_ ipnat processing?

Ciao,
Sheldon.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message