[ previous ] [ next ] [ threads ]
 From:  Manuel Kasper <mk at neon1 dot net>
 To:  Molle Bestefich <molle dot bestefich at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: Can't NAT on m0n0wall.
 Date:  Thu, 22 Jun 2006 21:18:21 +0200
On 22.06.06 20:46 +0200, Molle Bestefich wrote:

> I hope it's not me you're trying to help with that? :-D

I think Anders was indeed trying to help you with that picture -
you've given us enough evidence of being confused by the interaction
of NAT and filtering in m0n0wall.

And no, m0n0wall doesn't have problems with doing normal
destination-based routing on NATed packets, and it doesn't support
source-based routing anyway.

> It doesn't show anything about how NAT works in m0n0wall, aside

Yes it does - now you'd only have to add the traffic shaper as an
additional shell between the filter and the kernel, and you'd have a
nice and simple diagram that illustrates what happens to packets as
they pass in or out of m0n0wall's WAN interface.

>> Almost every firewall and router works in this way.
> And?

You said that you thought the current scheme (in m0n0wall) was "an
unnecessarily complicated solution". However, you didn't explain how,
in your opinion, it could be simplified. I don't see how it could, or
how m0n0wall could be improved with respect to the NAT/firewall
processing order. In my opinion, it's perfectly reasonable and
intuitive the way it is now, and people rarely have issues with it.

- Manuel