port forwarding and ipfw rules
Thomas Wolf
tw at wsf.at
Thu Mar 18 23:34:03 PST 2004
ktulu at net2000.com.au schrieb:
>
> Basically, what I've done to try and add the other configuration to this box is
> as follows:
>
> 1. Add the aliased IP to fxp1:
> ifconfig fxp1 inet xxx.xxx.19.111 netmask 255.255.255.255 alias
>
> 2. Start the additional natd daemon:
> /sbin/natd -same_ports -use_sockets -port 8669 -alias_address xxx.xxx.19.111
> -redirect_port tcp xxx.xxx.19.102:443 xxx.xxx.19.111:443
>
> 3. Change the ipfw rules to allow this new configuration through. This is
> basically the same as the firewall rules above, but each entry is doubled, where
> ${ip} becomes ${fail_ip}. In addition to this, another rule is entered in the
> "natd_enable" section to divert the new natd:
> case ${natd_enable} in
> [Yy][Ee][Ss])
> if [ -n "${natd_interface}" ]; then
> ${fwcmd} add 50 divert natd all from any to any via
> ${natd_interface}
> ${fwcmd} add 50 divert ${fail_natd} all from any to any via ${natd_interface}
> fi
> ;;
> esac
>
>
> Once I've added this, this port forwarding on xxx.xxx.19.110 still works, but
> the port forwarding on the aliased IP (xxx.xxx.19.111) doesn't!
I think your second divert rule will never be reached because
natd re-inserts the packets at the next rule-no *higher* than
the rule which diverted (check the counters on rule 50). Perhaps
just changing the second divert rule to 55 will do the trick.
Thomas
--
Thomas Wolf
Wiener Software Fabrik
Dubas u. Wolf GMBH
1050 Wien, Mittersteig 4
More information about the freebsd-ipfw
mailing list