Packet flow through IPFW+IPF+IPNAT ?
Matthew George
mdg at secureworks.net
Tue Jun 3 07:36:24 PDT 2003
On Mon, 2 Jun 2003, Paulo Roberto wrote:
> --- Fernando Gleiser <fgleiser at cactus.fi.uba.ar> wrote:
> > On Mon, 2 Jun 2003, Vlad GALU wrote:
> > Or, in other words, IPF always 'sees' the real IPs, not the NATed
> > ones.
>
> Is it also true for IPFW? Does the rules apply always to the real
> addresses instead of the natted ones? So why does the "divert natd"
> rule must be the first rule in ipfw? (in rc.firewall it is rule 00050).
> Is the packet reinserted on the queue, or it just wait a "pass" rule so
> it can be put on rule #00050 and go on?
>
> TIA
>
> Paulo Roberto
>
It depends on where the divert rule is. If it's the first rule, then yes.
You can do pre-nat filtering by placing rules before the divert if you
want. I typically do all my RFC1918 et al. filtering on my external
interfaces pre-nat.
--
Matthew George
SecureWorks Technical Operations
More information about the freebsd-security
mailing list