ipfw & natd
R2
R2 at infolinks.com.br
Wed Sep 22 06:59:20 PDT 2004
Cristian Ursuleanu wrote:
>you are wight!
>
>but, I do some tests and it seems to work only when:
>net.inet.ip.fw.one_pass=0
>
>if net.inet.ip.fw.one_pass=0 then packets are reinjected into firewall ,
>and when net.inet.ip.fw.one_pass=1 are not.
>
>I use: FreeBSD 4.10 STABLE , and ipfw1.
>
>"net.inet.ip.fw.one_pass: 1
> Forces a single pass through the firewall. If set to 0,
> packets coming out of a pipe will be reinjected into the
> firewall starting with the rule after the matching one.
>"
>
>
>On Mon, 20 Sep 2004, Jose Hidalgo Herrera wrote:
>
>
>
>>You are right, but Tomas too!,
>>
>>what is missing here is:
>># sysctl -w net.inet.ip.fw.one_pass=1
>>
>>Use the divert first, with one_pass=1 the package will
>>be reinjected and the your fwd rule will work just fine.
>>
>>--- this will do
>> sysctl -w net.inet.ip.fw.one_pass=1
>>
>> natd -p 8668 -interface rl0
>> natd -p 8669 -interface rl1
>>
>> ipfw add 1000 divert 8668 all from any to any rl0
>> ipfw add 2000 divert 8669 all from any to any rl1
>> ipfw add 2010 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 out recv ed0
>>---
>>--
>>Jose Hidalgo
>>PGP: 15524480
>>jose at hostarica.com
>>http://www.hostarica.com
>>
>>
>>
>>
>>
>_______________________________________________
>freebsd-ipfw at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
>
>
You can use this ipfw configuration to solve you problem :
ipfw add 100 skipto 2000 all from any to any 80 out xmit rl0
ipfw add 1000 divert natd all from any to any via rl0
ipfw add 2000 divert natd2 all from any to any via rl1
ipfw fwd 5.6.7.9 all from 5.6.7.8 to any out xmit rl0
PS: Default route are sent to rl0 interface and is a necessary to
forward all packets with sorce ip 5.6.7.8 to next-hop 5.6.7.9, this last
ip is a remote interface of your sevice provider.
More information about the freebsd-ipfw
mailing list