Date: Tue, 4 Dec 2001 02:03:30 -0800 From: "Crist J . Clark" <cjc@FreeBSD.ORG> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipnat & ipfirewall ordering Message-ID: <20011204020330.F37981@blossom.cjclark.org> In-Reply-To: <13427.1007453916@axl.seasidesoftware.co.za>; from sheldonh@starjuice.net on Tue, Dec 04, 2001 at 10:18:36AM %2B0200 References: <13427.1007453916@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Dec 04, 2001 at 10:18:36AM +0200, Sheldon Hearn wrote:
>
> Hi folks,
>
> I'm migrating a firewall from natd to ipnat.
>
> I would like to continue using ipfirewall for packet filtering at this
> stage. Baby steps.
>
> It looks to me like the order in which things happen is:
>
> ipfilter (Allow all)
> ipnat (1:1 bimaps)
> ipfirewall (Actual packet filtering)
Close, it's actually,
ipnat ipf ipfw
in --------------------------------->
<--------------------------------- out
> This means that I need to change all my ipfirewall rules to use the nat'd
> (private) addresses of protected hosts, rather than the real (public)
> addresses as I did things before.
Yep.
> Am I correct about the order in which things are happening? Do I really
> need to change all my ipfirewall rules, or is there a trick to having
> ipfirewall processing done _before_ ipnat processing?
Nope.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011204020330.F37981>