Packet flow through IPFW+IPF+IPNAT ?
Matthew George
mdg at secureworks.net
Mon Jun 2 07:43:09 PDT 2003
On Sat, 31 May 2003, Vandyuk Eugene wrote:
> Hi.
>
> On my FreeBSD 4.8 configured IPFW2+IPF+IPNAT and I use them all:
> - IPFW - traffic accounting, shaping, balancing and filtering;
> - IPFilter - policy routing;
> - IPNAT - masquerading.
> I want to know, how IP-packets flow through all of this components?
> What's the path?
> incoming: IPFW Layer2 -> IPFW&Dummynet -> IPNAT -> IPFilter ?
> outgoing: IPFW Layer2 -> IPFW&Dummynet -> IPFilter -> IPNAT ?
> Is this correct? Or IPNAT on the incoming packets run before IPFW L3:
> incoming: IPFW Layer2 -> IPNAT -> IPFW&Dummynet -> IPFilter ?
> I think this path is more preferable, because IPFW always use not
> masqueraded IP-headers.
>
> Any help appreciated.
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"
>
I have ipfw compiled in and run ipfilter as a kld
the way it works is ipfw -> ipnat -> ipfilter
ipnat and all state matching for ipfilter is performed prior to ruleset
processing
--
Matthew George
SecureWorks Technical Operations
More information about the freebsd-security
mailing list