Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 10 Jul 1997 12:27:22 -0400 (EDT)
From:      Charles Owens <owensc@enc.edu>
To:        hackers list FreeBSD <freebsd-hackers@freebsd.org>
Cc:        ari.suutari@ps.carel.fi
Subject:   ipfw rules processing order when DIVERTing
Message-ID:  <Pine.FBS.3.93.970710121015.10980C-100000@dingo.its.enc.edu>
next in thread | raw e-mail | index | archive | help 

Hi all,

I'm a bit unsure about the order in which ipfw rules get processed in
relation to a DIVERT rule that calls natd(8).  Note the last few sentences
from this excerpt from the natd(8) man page:

          /sbin/ipfw -f flush
          /sbin/ipfw add divert 6668 all from any to any via ed0
          /sbin/ipfw add pass all from any to any
        The second line depends on your interface and assumes that you've
        updated /etc/services as above.  If you specify real firewall rules,
  --->  it's best to specify line 2 at the start of the script so that natd
  --->  sees all packets before they are dropped by the firewall.  The fire-
  --->  wall rules will be run again on each packet after translation by
  --->  natd, minus any divert rules.

If I take this as literally as I can, I interpret it as follows

	* Rules before divert rule processed
	* Divert rule ships all packets not dropped by above rules
		to natd for address translation
	* Packets return from natd and are then subjected to ALL rules,
		except this time divert rule is skipped

This is somewhat counter-intuitive to me.  If this how it works, what is
the reason for this design, since, as I think about it, there must be a
performance penalty to this approach (multiple passes of rules).  I had
expected it to work like this:

        * Rules before divert rule processed
        * Divert rule ships all packets not dropped by above rules
                to natd for address translation
        * Packets return from natd and remaining rules after divert rule
		are processed

What is the real story?

Thanks very much,
---
-------------------------------------------------------------------------
  Charles N. Owens                               Email:  owensc@enc.edu
                                             http://www.enc.edu/~owensc
  Network & Systems Administrator
  Information Technology Services  "Outside of a dog, a book is a man's
  Eastern Nazarene College         best friend.  Inside of a dog it's 
                                   too dark to read." - Groucho Marx
-------------------------------------------------------------------------

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.FBS.3.93.970710121015.10980C-100000>