Trying to understand ipfirewall/divert/nat

[Lowell Gilbert]

Kenneth W Cochran <kwc at TheWorld.com> writes:

> Would like to do similar things, e.g. allow/deny <insert
> port/service/protocol here> & get all that to play nicely
> with divert/natd.  For example, with divert, it appears that
> we should have a ruleset for "before" the divert & another
> "mirror-image" ruleset for "after" divert.  Where might I
> find some nice explanations of the logic/strategy with this?

Look carefully; it's not a mirror image.  The "before" set is denying
the addresses as destinations, while the "after" set is denying them
as source addresses.

> I guess what confuses me is /etc/rc.firewall does things one
> way & the firewall(7) manpage another.

Firewalls configurations differ.  It's possible to struggle through
without understanding what you're doing, but it's hard, and you're a
lot more likely to make mistakes.

> Where are some, umm, good sources of information about
> ipfirewall (ipfw)?  Seems all the books talk about are
> Linux's ipchains & iptables & *bsd's ipf.

The *good* books don't do much with any specific implementation.  [I'm
thinking of Cheswick/Bellovin, as well as the Zwicky book.]  They
cover the theory; if you have that, the syntax is pretty easy with any
of them.

-- 
Lowell Gilbert, embedded/networking software engineer, Boston area: 
		resume/CV at http://be-well.ilk.org:8088/~lowell/resume/
		username/password "public"