Problem with source based policy routing
Giuliano Gavazzi
dev+lists at humph.com
Mon Jul 6 16:53:47 UTC 2009
On M 6 Jul, 2009, at 15:35 , Kim Attree wrote:
> I have one Internal Exchange server (don't laugh), and NAT handles
> the static mapping of IP/Port to that server. The original point
> here is to have two mapped NAT port 25's to the same internal Mail
> server, hence the addition of the NAT before and during the forward
> logic (obviously wrong though).
>
ah, if you want to have an internal server to be reachable on both
public addresses, via the corresponding two firewall interfaces, you
must have a way to tell the firewall how to distinguish the return
packets in order to use the correct natd instance. If the internal
exchange server port is the same, there is no way telling that. At
most you could use the peer port, but even that would not be
failproof, and I would not know how to proceed (I think dynamic rules
can only establish holes - allow action - in the firewall, not a fwd
action). So you must use two different ports or alias addresses on the
exchange server, and divert to the appropriate outgoing natd instance
on the basis of that.
I have not enough time at the moment to write down a complete
workflow, but I hope this, with the remarks in my previous post, gives
you enough hints.
Giuliano
More information about the freebsd-ipfw
mailing list