Re: FW: ipfw, natd and routing question

From: Crist Clark (
Date: 06/11/01

Date: Mon, 11 Jun 2001 11:35:07 -0700
From: "Crist Clark" <>
To: Robin Huiser <>

Robin Huiser wrote:
> Hi all,
> I hope someone can help me with this problem I'm trying to solve. I think
> the answer is trivial, but so far I 'm stuck.
> Our FreeBSD 4.2-STABLE firewall has three network cards as shown below:
> -- DMZ
> /
> \
> -- LAN
> -The EXT interface: connected to the Internet, IP subnet x.x.242.32/240
> -The DMZ interface: connected to our DMZ subnet, IP subnet x.x.242.48/240
> -The LAN interface: connected to our LAN subnet, IP subnet
> I use NAT to 'route' traffic from the LAN to the Internet
> I use ipfw rules to ROUTE traffic from the Internet to the DMZ subnet
> So far, so good.
> But... how do I prevent the NAT to 'translate' the IP addresses when a
> session is set up from the DMZ segment to a host somewhere on the Internet?
> I want all traffic to be routed from the DMZ subnet to the Internet...
> I've tried to alter the natd rule, without any success.
> The rules I tried didn't work or had bad side effects, so I moved back to
> the standard natd rule, but everything gets NAT-ed now...
> Some examples I tried:
> #
> # The rule below works, but the it causes TCP/IP timeouts and a *very* slow
> # connection between the DMZ and EXT subnets...
> #
> ${fwcmd} add divert natd all from not x.x.242.48: to any
> via ${natd_interface}

This should really work. I do not understand why it would slow things
down. It is having bad interactions with other rules? Traffic coming
out of your extranet does not go through natd(8). The return traffic
does go throught natd(8), but since there is no entry in the NAT table
generated by outgoing traffic, the packets are not modified. Is your
NAT table _huge?_ I would expect other performance issues if this
rule made trouble becasue of that.

> #
> # The rule below doesn't work at all (?) Don't know why...
> #
> ${fwcmd} add divert natd all from to any via
> ${natd_interface}
> Please advise...

This one will not work since packets coming back from the Internet
do not get run through natd(8).

However, the easiest thing to do is probably to put all of your rules
that apply to traffic to and from your extranet _before_ the divert(4)
rule. Depending on performance issues, this approach may be good (most
of your traffic is from the extranet), bad (most traffic is from the
private network), or not matter (if your firewall machine is over-powered
for the job, who cares, go with what is easiest to administrate).

Crist J. Clark                                Network Security Engineer                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926
The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact
To Unsubscribe: send mail to
with "unsubscribe freebsd-security" in the body of the message