On Thu, 24 Sep 1998, Eric J. Schwertfeger wrote:
> I've got two FreeBSD machines, one 2.2.7-RELEASE and one
> 2.2.7-19980828-SNAP. The latter machine is a firewall with natd running
> on it. Without configuring natd, we can establish encrypted
> communications to our hearts content.
>
> However, as soon as we insert the ipfw divert rule for natd, things go
> south fast. Basically, we've tried various configurations, and we can get
> one or the other to work, but not both. Even a two-rule rc.firewall
> consisting of just the divert rule and a pass all rule kills SKIP if the
> divirt comes first.
I've narrowed the problem down. Basically, because natd is reinserting the
unencrypted packet into the device (queue?), skip can't tell that it's a
packet that it has already decrypted, so rejects the packet because it
thinks that the given packet was never encrypted, and is coming from a
host that requires encryption.
Also, is anyone seeing this? I didn't get any replies, and haven't seen
any other traffic on this list since subscribing.
