On Tue, Feb 04, 2003 at 08:00:46AM +0200, Emilian Ursu wrote:
> 
> 
> On Tue, 4 Feb 2003, Mikhail Teterin wrote:
> 
> > > your best solution is to add a skipto before the divert rule.
> >
> > Thank you, Barry, but is not that what I'm doing in the sample?
> >
> > > You can therefore skip any traffic from a private address to another
> > > private address. Anything not matched by the skipto rule gets fed to
> > > the divert socket.
> >
> > The trick was to figure out, what could be skipped, and what could not.
> > I'm wondering, if I got that right -- it seems to work find, but does it
> > leave something open? Before I can recommend it to others, I'd like to
> > be more sure :-)
> >
> 
> see the example from man firewall
> 
This still isn't perfect.  In a situation with a single NIC
serving both internal and external traffic, I've found the
following solution to be the superior: use a distinct IP
address (it's not even has to be bound to a local interface)
that allows you to skip not only local->remote traffic, but
reply packets, i.e. it allows you to differentiate whether
incoming (external) packet is for de-natting or not.

As opposed to the firewall(7) example, I usually implement
a block with two "divert natd" rules (for outgoing local
and incoming external packets), and "skipto" this block
when appropriate.


Cheers,
-- 
Ruslan Ermilov          Sysadmin and DBA,
[EMAIL PROTECTED]           Sunbay Software AG,
[EMAIL PROTECTED]          FreeBSD committer,
+380.652.512.251        Simferopol, Ukraine

http://www.FreeBSD.org  The Power To Serve
http://www.oracle.com   Enabling The Information Age

Attachment: msg08236/pgp00000.pgp
Description: PGP signature

Reply via email to