ipfw/divert ruleset implementation question
Michael Sierchio
kudzu at tenebras.com
Wed Jul 9 09:30:52 PDT 2003
B F wrote:
> I'd like to come up a ruleset that handles the following example.
> Suppose I have a daemon listeing on port 2000 and I'd like outside
> clients to be able to communicate with the daemon by addressing traffic
> to port 2000 or port 2001. So,
>
> suppose I have for my natd configuration:
> -redirect_port tcp 1.2.3.4:2000 1.2.3.4:2001
>
> And then in my ipfw ruleset, if I use:
> add 100 divert natd tcp from any to 1.2.3.4 2001 in via rl0
> add 101 divert natd tcp from 1.2.3.4 2000 to any out via rl0
What you are doing could simply be accomplished with
add 100 divert natd tcp from any to any via rl0
If for some reason you need separate rules for in/out packets,
give them the same rule number.
> It seems that traffic coming in normally to 1.2.3.4:2000 would enter
> fine. ...
Whay are you speculating?
> ....some sort of
> divert keep-state?
It's called 'natd' -- it keeps connection state.
More information about the freebsd-ipfw
mailing list