On Tue, Feb 04, 2003 at 08:00:46AM +0200, Emilian Ursu wrote: > > > On Tue, 4 Feb 2003, Mikhail Teterin wrote: > > > > your best solution is to add a skipto before the divert rule. > > > > Thank you, Barry, but is not that what I'm doing in the sample? > > > > > You can therefore skip any traffic from a private address to another > > > private address. Anything not matched by the skipto rule gets fed to > > > the divert socket. > > > > The trick was to figure out, what could be skipped, and what could not. > > I'm wondering, if I got that right -- it seems to work find, but does it > > leave something open? Before I can recommend it to others, I'd like to > > be more sure :-) > > > > see the example from man firewall > This still isn't perfect. In a situation with a single NIC serving both internal and external traffic, I've found the following solution to be the superior: use a distinct IP address (it's not even has to be bound to a local interface) that allows you to skip not only local->remote traffic, but reply packets, i.e. it allows you to differentiate whether incoming (external) packet is for de-natting or not.
As opposed to the firewall(7) example, I usually implement a block with two "divert natd" rules (for outgoing local and incoming external packets), and "skipto" this block when appropriate. Cheers, -- Ruslan Ermilov Sysadmin and DBA, [EMAIL PROTECTED] Sunbay Software AG, [EMAIL PROTECTED] FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age
msg08236/pgp00000.pgp
Description: PGP signature