ipfw & natd
Thomas Wolf
tw at wsf.at
Mon Sep 20 11:02:47 PDT 2004
Jose Hidalgo Herrera <jose at hostarica.com> schrieb:
> You are right, but Tomas too!,
>
> what is missing here is:
> # sysctl -w net.inet.ip.fw.one_pass=1
No, this sysctl is for dummynet only and does not affect natd.
Natd always re-injects packets into the firewall:
"After translation by natd, packets re-enter the firewall
at the rule number following the rule number that caused
the diversion" (man natd)
> Use the divert first, with one_pass=1 the package will
> be reinjected and the your fwd rule will work just fine.
>
> --- this will do
> sysctl -w net.inet.ip.fw.one_pass=1
>
> natd -p 8668 -interface rl0
> natd -p 8669 -interface rl1
>
> ipfw add 1000 divert 8668 all from any to any rl0
> ipfw add 2000 divert 8669 all from any to any rl1
> ipfw add 2010 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 out recv ed0
> ---
No, this will not work, you should omit the 'from 10.0.0.0/24' part.
After being translated by natd, the packets coming from the LAN will
no longer have 10.0.0.0/24 as src-addr.
Thomas
--
Thomas Wolf
Wiener Software Fabrik
Dubas u. Wolf GMBH
1050 Wien, Mittersteig 4
More information about the freebsd-ipfw
mailing list