Fix typo in IPFW page and s/reassamble/reassemble/g
PR: 245396 Submitted by: wout@canodus.be
This commit is contained in:
Alex Dupre
parent
0cb77393f2
commit
b29bc566a5
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=54041
1 changed files with 5 additions and 5 deletions
|
|
@ -2256,18 +2256,18 @@ ipfw -q nat 1 config if $pif same_ports unreg_only reset</programlisting>
|
|||
<para>The inbound <acronym>NAT</acronym> rule is inserted
|
||||
<emphasis>after</emphasis> the two rules which allow all
|
||||
traffic on the trusted and loopback interfaces and after the
|
||||
reassamble rule but <emphasis>before</emphasis> the
|
||||
reassemble rule but <emphasis>before</emphasis> the
|
||||
<literal>check-state</literal> rule. It is important that the
|
||||
rule number selected for this <acronym>NAT</acronym> rule, in
|
||||
this example <literal>100</literal>, is higher than the first
|
||||
three rules and lower than the <literal>check-state</literal>
|
||||
rule. Furthermore, because of the behavior of in-kernel
|
||||
<acronym>NAT</acronym> it is advised to place a reassamble
|
||||
<acronym>NAT</acronym> it is advised to place a reassemble
|
||||
rule just before the first <acronym>NAT</acronym> rule and
|
||||
after the rules that allow traffic on trusted interface.
|
||||
Normally, <acronym>IP</acronym> fragmentation should not
|
||||
happen, but when dealing with <acronym>IPSEC/ESP/GRE</acronym>
|
||||
tunneling traffic it might and the reassmabling of fragments
|
||||
tunneling traffic it might and the reassembling of fragments
|
||||
is necessary before handing the complete packet over to the
|
||||
in-kernel <acronym>NAT</acronym> facility.</para>
|
||||
|
||||
|
|
@ -2275,7 +2275,7 @@ ipfw -q nat 1 config if $pif same_ports unreg_only reset</programlisting>
|
|||
<para>The reassemble rule was not needed with userland
|
||||
&man.natd.8; because the internal workings of the
|
||||
<application>IPFW</application> <literal>divert</literal>
|
||||
action already takes care of reassambling packets before
|
||||
action already takes care of reassembling packets before
|
||||
delivery to the socket as also stated in &man.ipfw.8;.</para>
|
||||
|
||||
<para>The <acronym>NAT</acronym> instance and rule number used
|
||||
|
|
@ -2287,7 +2287,7 @@ ipfw -q nat 1 config if $pif same_ports unreg_only reset</programlisting>
|
|||
|
||||
<programlisting>$cmd 005 allow all from any to any via xl0 # exclude LAN traffic
|
||||
$cmd 010 allow all from any to any via lo0 # exclude loopback traffic
|
||||
$cmd 099 reass all from any to any in # reassamble inbound packets
|
||||
$cmd 099 reass all from any to any in # reassemble inbound packets
|
||||
$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets
|
||||
# Allow the packet through if it has an existing entry in the dynamic rules table
|
||||
$cmd 101 check-state</programlisting>
|
||||
|
|
|
|||
Loading…
Reference in a new issue