Re: [masq] distinction between masquerading and firewalling: usin g ipfwadm - I, -O and -F together

[Fuzzy Fox]

EFT.Eric Devolder <[EMAIL PROTECTED]> wrote:
>
> All this means also that it is possible to accept incoming packets
> (ipfwadm -I) but without forwarding them !  is it true ?

Of course!  If you telnet to your masq box directly, it accepts the
packets, but does not forward them.  The packets are destined for the
masq box itself, so there is no need to forward.

Your questions imply a lack of knowledge about rule sets and how they
are used.  There was a time when I didn't know anything about these
things, and I managed to learn it from somewhere... if only I could
remember where.  Then I could point you to the same place.  :)

Let's see if I can summarize it...

When a packet reaches the masq box:

1.  The INPUT rulesets are checked, to determine if the packet should be
    accepted at all.

2.  If the packet is accepted, the IP address is examined.  If it is for
    this box, we send the packet to whatever local application wants it.

3.  If the packet is addressed to someone else, the route table is
    consulted.  The routes determine where (if anywhere) the packet
    should be forwarded to.

4.  If the route table determines that the packet should be forwarded,
    the FORWARD rulesets are checked, to determine IF the packet should
    be forwarded, and if so, if it should be masqueraded during the
    process.

5.  If the packet is being forwarded, then the OUTPUT rulesets are
    checked, to determine if the packet should be sent at all.


So you see, all of the rulesets come into play.  If a packet is not
being forwarded (i.e. it is to or from a process on the local masq box),
then only the INPUT and OUTPUT rules are checked for each packet. 
Otherwise all three rulesets will be checked.

-- 
   [EMAIL PROTECTED] (Fuzzy Fox)      || "Nothing takes the taste out of peanut
sometimes known as David DeSimone  ||  butter quite like unrequited love."
  http://www.dallas.net/~fox/      ||                       -- Charlie Brown
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
For daily digest info, email [EMAIL PROTECTED]