netbsd-help: Re: ipf rules for NAT with non-trusted private net

Subject: Re: ipf rules for NAT with non-trusted private net
To: Daniel Eggert <danieleggert@mac.com>
From: Manuel Bouyer <bouyer@antioche.lip6.fr>
List: netbsd-help
Date: 11/19/2002 12:06:35

On Tue, Nov 19, 2002 at 12:16:14AM -0800, Daniel Eggert wrote:
> OK. maybe it's just too simple, but I though that if I block packets going in on my private network, nothing from the private network would be able to pass out to my ISP.

You can (should ?) filter based on IP address. Block paquets with destination
address one of your firewall addresses.


> Is NAT and routing done before IPF (and hence passes by those ipf.conf rules?).

NAT is done before. routing is done between the in and out IPF rules.

> 
> Where would I find more info about how exactly IPNAT and IPF fit together? The 'standard' ipf documentation doesn't give much info about this.

Did you look at http://coombs.anu.edu.au/~avalon/ ?

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
     NetBSD: 23 ans d'experience feront toujours la difference
--