tricking myself w/ multihoming

Brian Reichert reichert at numachi.com
Tue Mar 23 12:49:30 PST 2004 

I think I'm badly misunderstanding the interaction of ipfw and natd
and routing in general.

I have a multihomed box:

rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        inet 198.175.254.11 netmask 0xffffff00 broadcast 198.175.254.255
	inet 198.175.254.8 netmask 0xffffffff broadcast 198.175.254.8
        ether 00:30:bd:21:e5:e9
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        inet 24.147.155.114 netmask 0xfffff800 broadcast 255.255.255.255
        ether 00:50:ba:8b:64:77
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active

The rl1 interface has natd associated with it, and it behaves as expected.

The default route is also on rl1:

  # netstat -rn | grep default
  default            24.147.152.1       UGSc      231   273474    rl1

So far, things are as I wanted, and they've been this way for years.
I can get to this box from my LAN just fine, and NAT works just
fine, and any TCP tunnels on rl1 I've opened up work fine.

I've gotten it in my head that I want to run a mail server on this box,
publically available via either interface via 198.175.254.8.

I've modified my firewall rules on this box slightly:

  00040 fwd 198.175.254.1 tcp from 198.175.254.8 to any 25
  00050 divert 8668 ip from any to any via rl1
  00100 allow ip from any to any via lo0
  00200 deny ip from any to 127.0.0.0/8
  00300 deny ip from 127.0.0.0/8 to any
  65000 allow ip from any to any
  65535 deny ip from any to any

(198.175.254.1 is my gateway for the public block.)

This setup lets outgoing SMTP transactions go out my public block.

But, seemingly, it does not allow incoming SMTP sessions to occur.

Tcpdump on this box shows me the incoming packets coming to
198.175.254.8, but I'm not seeing these replies to these packets
going out at all, much less to 198.175.254.1.

Does anyone have any pointers?  Do I need to run the mail server
in a jail with a separate default route?  Is there some other trick
I could/should be considering?

-- 
Brian Reichert				<reichert at numachi.com>
37 Crystal Ave. #303			Daytime number: (603) 434-6842
Derry NH 03038-1713 USA			BSD admin/developer at large

More information about the freebsd-net mailing list