Date: Tue, 4 Feb 2003 16:52:52 +0200 From: Ruslan Ermilov <ru@freebsd.org> To: Emilian Ursu <loman@cluj.astral.ro> Cc: Mikhail Teterin <mi@corbulon.video-collage.com>, Barry Irwin <bvi@itouchlabs.com>, net@freebsd.org Subject: Re: Does natd(8) really need to see _all_ packets? Message-ID: <20030204145252.GC14893@sunbay.com> In-Reply-To: <Pine.BSF.4.44_heb2.09.0302040759540.311-100000@void.cluj.astral.ro> References: <200302040540.h145evwa062764@corbulon.video-collage.com> <Pine.BSF.4.44_heb2.09.0302040759540.311-100000@void.cluj.astral.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
--8NvZYKFJsRX2Djef Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Feb 04, 2003 at 08:00:46AM +0200, Emilian Ursu wrote: >=20 >=20 > On Tue, 4 Feb 2003, Mikhail Teterin wrote: >=20 > > > your best solution is to add a skipto before the divert rule. > > > > Thank you, Barry, but is not that what I'm doing in the sample? > > > > > You can therefore skip any traffic from a private address to another > > > private address. Anything not matched by the skipto rule gets fed to > > > the divert socket. > > > > The trick was to figure out, what could be skipped, and what could not. > > I'm wondering, if I got that right -- it seems to work find, but does it > > leave something open? Before I can recommend it to others, I'd like to > > be more sure :-) > > >=20 > see the example from man firewall >=20 This still isn't perfect. In a situation with a single NIC serving both internal and external traffic, I've found the following solution to be the superior: use a distinct IP address (it's not even has to be bound to a local interface) that allows you to skip not only local->remote traffic, but reply packets, i.e. it allows you to differentiate whether incoming (external) packet is for de-natting or not. As opposed to the firewall(7) example, I usually implement a block with two "divert natd" rules (for outgoing local and incoming external packets), and "skipto" this block when appropriate. Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --8NvZYKFJsRX2Djef Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+P9PDUkv4P6juNwoRAt7NAJ90cb0qGGHJyzd/qDoAsq3L4+hLhQCghx3S SuVMl1HnF91p1VaJ4SWq81U= =6YKH -----END PGP SIGNATURE----- --8NvZYKFJsRX2Djef-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030204145252.GC14893>