Thanks!

That's fine.  I just wanted to know the architecture
so as I can better plan a solution for my needs. It's
Unix so there is ALWAYS a solution- just takes 
knowing the specifics first, then hitting the drawing 
board for sneaky ways to do what needs to be done. =)

Thanks again,
Steve

----- Original Message ----- 
From: "Thor Lancelot Simon" <tls@rek.tjls.com>
To: "Steve" <stevep@mccue.com>
Cc: <port-i386@netbsd.org>
Sent: Tuesday, April 11, 2000 2:35 PM
Subject: Re: ipf and ipnat and unrelated 1.4.2 Observations


> On Tue, Apr 11, 2000 at 12:50:23PM -0700, Steve wrote:
> > Greetings, two things:
> > 
> > IPF/IPNAT-
> > Although not specifically port-i386 specific, is there
> > any documentation on ordering of  ipf and ipnat ?
> > 
> > It appears ipnat is layered below ipf, such that
> > rdr's placed in ipnat bypass any blocks set in
> > ipf.  Is this the implemented architecture?
> 
> No.  NAT does run *first*, but IPF still sees the packets -- it just sees
> the addresses as rewritten by NAT.
> 
> No, this isn't obvious, but it's how it's always been and changing it would
> break a lot of people's NAT/IPF rules.
> 
>