Re: FIREWALL_FORWARD vs. using /sbin/natd ?

Mon, 14 Jan 2002 00:47:37 -0800 

On Sun, Jan 13, 2002 at 11:25:41PM -0800, Crist J . Clark wrote:
> On Sun, Jan 13, 2002 at 11:56:36AM +0100, Andreas Klemm wrote:
> > I found a document describing a firewall design only using natd
> > for redirects to internal network resources. (Hi Marshall, therefore
> > Cc: to you, since its yours and I have a question).
> > 
> >     http://www.rootprompt.net/freebsd_firewall.html
> > 
> > Based on these informations I think I could get rid of natd entirely.
> 
> Why do you say that? His example uses natd(8).

He uses it only on the internal network card to redirect 
2 application to inside machines. Look in the config !

> > See my previous mail, my problem was, that I can't get it to run
> > for a typical 2 NIC configuration with internal network, DMZ and
> > a router in front of a 512k leased line.
> 
> You didn't inlcude your firewall rules.

I only send it privately. They are, as I told the templates from
"simple", I only added ssh ... but this doesn't break the logic.

> > Or is this my NAT problem, that additionally I have to use the kernel
> > option FIREWALL_FORWARD,
> 
> You don't need it.

o.k.

> > to get NAT for internal users running,
> > 'though all other documents state out, that only IPFIREWALL and
> > IPDIVERT are needed ???
> 
> But it shouldn't cause problems.
> 
> > Therefore the question, is using FIREWALL_FORWARD a good
> > replacement for /sbin/natd if you want to give users of
> > the internal network access to the outside world ?
> 
> FIREWALL_FORWARD has nothing to do with NAT.
> 
> > Are there some things to take care of, when using FIREWALL_FORWARD ?
> 
> Yes, but nothing to do with NAT.

BUT WHAT does FIREWALL_FORWARD actually does ????
What happens if I define it in kernel, stop nat ?
Can internal machines communicate to outside then ?
What can outside machines do then ?
Produces it a whole in the firewall ?
Or is it something like NAT staeful ?

        Andreas ///

-- 
Andreas Klemm - Powered by FreeBSD
Need a magic printfilter today ?         http://www.apsfilter.org/
Songs from our band >> 64Bits <<         http://www.64bits.de
Inofficial band pages with add-on stuff  http://www.apsfilter.org/64bits.html

Attachment: msg04698/pgp00000.pgp
Description: PGP signature

Reply via email to