ipfw & natd

Thomas Wolf tw at wsf.at
Mon Sep 20 11:09:32 PDT 2004 

Cristian Ursuleanu <cristi at debug.ro> schrieb:

> 
> from ipfw manual:
> 
> "divert port
> 		     Divert packets that match this rule to the divert(4)
> 		     socket bound to port port.	 The search terminates.
> 						     -----------------
> "
 
Ah, ok, my statement was misleading. You're right, 'divert' does
not re-inject packets by itself - but 'natd' does.

Thomas

 
> On Mon, 20 Sep 2004, Thomas Wolf wrote:
> 
> >
> > Cristian Ursuleanu <cristi at debug.ro> schrieb:
> >
> > >
> > >
> > > Hi,
> > >
> > > I have a problem with ipfw:
> > >
> > >
> > > (10.0.0.x)     (ed0)(10.0.0.1)(rl0)     (1.2.3.4)
> > > --LAN----------------FreeBSD--------------ISP_1
> > >                         |
> > >                         |(rl1)
> > >                         |
> > >                         |               (5.6.7.8)
> > >                         |_________________ISP_2
> > >
> > >
> > >
> > > thw default route is 1.2.3.4
> > > ( $ route add -net 0.0.0.0 1.2.3.4 )
> > >
> > > I want to forward only port 80 from LAN to ISP_2 .
> > >
> > > I do:
> > > $ natd -p 8668 -interface rl0
> > > $ natd -p 8669 -interface rl1
> > >
> > > $ ipfw add 500 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80
> > > $ ipfw add 1000 divert 8668 all from any to any rl0
> > > $ ipfw add 2000 divert 8669 all from any to any rl1
> > >
> > > and it's seems not to work .
> > > 'tcpdump' on rl1 show connections from 10.0.0.2.3122 > WEB_SERVER.80 , and
> > > it must be: 5.6.7.8 > WEB_SERVER.80
> > >
> > > is missing the natd .
> > >
> > > what is wrong?
> >
> > The 'fwd' action terminates the search through the ruleset, so
> > your rule 2000 will never match on outgoing packets to :80.
> > Try putting the 'fwd' statement after 2000 ('divert' re-injects
> > packets at the next rule), something like this:
> > add 2010 fwd 5.6.7.8 tcp from any to any 80 out recv ed0.
> >
> > Thomas
> >
> > --
> > Thomas Wolf
> > Wiener Software Fabrik
> > Dubas u. Wolf GMBH
> > 1050 Wien, Mittersteig 4
> >
> > _______________________________________________
> > freebsd-ipfw at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
> >
>

--
Thomas Wolf
Wiener Software Fabrik
Dubas u. Wolf GMBH
1050 Wien, Mittersteig 4

More information about the freebsd-ipfw mailing list