On 9/30/2013 4:53 AM, Fred Maillou wrote: >> There is a similar diagram at >> http://www.shorewall.net/NetfilterOverview.html. Not shown in >> that diagram is the case where a local process sends a packet >> to another local process. > > Unfortunately this URL currently returns 'not found'. > > Fred. > > ------------------------------------------------------------------------ > *De :* Tom Eastep <teas...@shorewall.net> > *À :* shorewall-users@lists.sourceforge.net > *Envoyé le :* vendredi 27 Septembre 2013 9h35 > *Objet :* Re: [Shorewall-users] Processing precedence: rule/MASQ > > On 9/26/2013 8:28 AM, Fred Maillou wrote: >>>> On Thu, Sep 26, 2013 at 11:41 AM, Fred Maillou > <frederrif...@yahoo.ca <mailto:frederrif...@yahoo.ca>> wrote: >> >>>> In masquerading, which one gets processed first, a firewall >>>> rule, or the masquerading ? I'd think masquerading gets > >>>> processed first, but I'm not certain. >> >>> De : Guilsson G <guils...@gmail.com <mailto:guils...@gmail.com>> >> >>> As Shorewall, in fact, configure Netfilter/Iptables best way is >>> to look how packets traverses Linux's Kernel. >> >>> Look this: >>> http://www.adminsehow.com/2011/09/iptables-packet-traverse-map/ >> >> >> According to the last diagram on that page, it would mean that >> incoming packets from the network would be NAT-processed first, >> then processed through the firewall rules. >> >> Whereas packets generated by the firewall device would be >> processed by rules first and then NAT'ed. >> >> In the case of a router, all packets going through it would be >> processed by NAT first, then FW rules would be applied. >> >> I guess this makes sense, but am not sure yet. The first diagram >> on that page has a logic error in which two of the 'routing >> decision' boxes have no alternative route. If a decision was >> taken, then there should be at least a case of yes/no. As it is >> in the third 'routing decision' box. > > There is a similar diagram at > http://www.shorewall.net/NetfilterOverview.html. > <http://www.shorewall.net/NetfilterOverview.html.>Not shown in that > diagram is the case where a local process sends a packet to another > local process.
Actually, that is not true. For the local case, the 'Network' is the loopback device (lo). -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
