Date: Fri, 8 May 1998 15:40:01 -0700 (PDT) From: Julian Elischer <julian@whistle.com> To: bh@epigram.com Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw & natd rule precedence Message-ID: <Pine.BSF.3.95.980508153157.1169F-100000@current1.whistle.com> In-Reply-To: <355369A7.C72AA055@epigram.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 8 May 1998, Brandon Huey wrote: > i'm a little confused about who enforces filtering rules on a gateway > using ipfw & natd together. > > from what i've been reading i understand this: > > every incoming packet gets checked against the ipfw rules. a divert rule > binds all packets from any interface to any interface to a specific port > on which natd runs. > > now, knowing that, it sounds like natd (which has facilities for this) > should enforce any further port/protocol filtering because ipfw is > finished with these packets. > > but, i have also read that natd always puts packets it handles back into > the incoming stream where they are once again checked against ipfw rules > (but _ignoring_ the divert)... Yes.. however there is a move afoot to make the reinjected packets be reinjected AFTER the divert rule so don't DEPEND on this behaviour. The behavioural changes to IPFW would be: the "SKIPTO" operation would become more efficient DIVERT daemons could specify the rule after which an injected packet should start being checked. this would allow the partitionning of rulesets into sub-rulesets for efficiency and ease of understanding. You could then partition the ruleset into differnt parts for pre and post translation (for example). I have done some work towards this but not coded it yet. > > knowing that, it seems like i could continue using > additional ipfw rules (but only against now-aliased packets?) > > what is right? yes. you could use the SKIPTO rule (though it's not too efficient now) to isolate post-translated packets (by some unknown method) to a separate ruleset but it would be more difficult. > > also, are there significant performance hits because of natd running as > a user process? Well we can address translate an ethernet but it takes a lot of the CPU to do it.. (P130) > > thanks > > -- > > Brandon Huey Epigram, Inc. > bh@epigram.com +1 408 720 3027 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980508153157.1169F-100000>