Date: Mon, 15 Dec 1997 10:34:00 -0600 (CST) From: Font <font@Mcs.Net> To: questions@freebsd.org Subject: natd and ipfw, how do they work together? Message-ID: <Pine.BSF.3.95.971215102011.19342B-100000@Jupiter.Mcs.Net>
next in thread | raw e-mail | index | archive | help
I am a typical user of natd, using a machine with two interfaces to connect my private network with the Internet. I am also using the ipfw firewall software. This is all under 2.2.5-RELEASE. My question is, if I let a few machines on the private network access the Internet (but not others), how do I make sure that the firewall still functions when I am using natd? For instance, let's say an internal nameserver at 192.168.1.1 is allowed to get out to the Internet for DNS queries, using the firewall/gateway at 192.168.1.2. I would allow this with ipfw add divert natd udp from 192.168.1.1 to any 53 via fxp1 where fxp1 is my outside interface on the firewall running ipfw. But when I want the result to come back, I have to send the packet back through natd again for translation. Until it's translated, though, I don't know what host it's for! Therefore something like ipfw add divert natd udp from any to 192.168.1.1 53 via fxp1 won't work, because until natd translates fxp1's IP to 192.168.1.1, such a rule has no meaning. Hence my question. When natd does its translation, is the translated packet resent as if it came from the outside again, only with internal addresses properly inserted? Or after a packet goes through natd, does it just go to its destination without delay? If the latter is the case, then I really need two firewalls, one to prevent unauthorized traffic from leaving the network, and one to perform natd on and to prevent unauthorized traffic from entering the network. This is a pretty new experience for me, as we just got our T1, so if I've explained anything badly, please feel free to ask for more details. Thanks, dw A bug in my MUA causes news.announce.newusers font to be sent to beneficiaries and senders of UCE/SPAM. @ mcs.net Wishes are like dishes.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.971215102011.19342B-100000>