sorry, i'm suppose to post this under freebsd-questions. this should teach
me posting early in the morning :-)
To continue the questions... if the sample ipfw rule "deny all from any to
192.168.0.0/16 via outside_interfaces" doesn't always work. Should it be
included in the rc.firewall example?
arnee wrote:
> I have been wondering what the right answer to this scenario is. Here is
> the scenario:
>
> machine A -- outside ip (internet)
> machine B -- router, natd, registered ip and set to stop RFC1918 on the
> public interface
> machine C -- inside LAN, unregisterd ip 192.168.0.0/16
>
> When I connect to machine A from machine C, machine B (natd) seems to
> translate the addresses correctly like this:
>
> Out [TCP] "machine C's ip" --> "machine A's ip" aliased to
> [TCP] "machine B's ip" --> "machine A's ip"
>
> but when the packet comes back in, I get this:
>
> In [TCP] "machine A's ip" --> "machine B's ip" aliased to
> [TCP] "machine A's ip" --> "machine C's ip"
> ^ ^ ^ ^ ^ ^ ^ ^
>
> and this brakes my ipfw rule of:
>
> "deny ip from any to 192.168.0.0/16 via outside_interface" ... which is
> part of the example from rc.firewall "stopping RFC1918 on the public
> interface." So, I always just delete this rule to get the packet inside
> the LAN.
>
> questions are:
>
> 1. Is this right? Is natd behaving correctly when the packet comes back
> in for unregistered ips? I would think that it would be aliased to like
> this, "machine B's ip" --> machine C's ip".... like a proxy? But this
> would still break the rule "... from any ...".
> 2. If so, is it correct to not include the ipfw rule above when stopping
> RFC1918? Better yet, what is the correct way of writing the rule?
>
> correct me if my assumptions are wrong.
>
> using 4.0current-2000.02.14
> ---
> arnee
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-current" in the body of the message
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
