port forwarding and ip-less firewall

[Nathan Kinkade]

On Wed, Feb 25, 2004 at 05:19:35PM +0800, Edison Cala  wrote:
> hello list!
> 
> i want to ask some help on port forwarding in a bridge-firewall
> network.
> 
> our network setup is:
> 
> 1. the router is outside the firewall, direct to the internet.
> 2. the bridge-firewall computer (2 ethernet cards installed, eth0 -
> outside (router), eth1 - protected network) is between the router and
> the protected network.
> 
> all the servers are behind the firewall and only opened the allowed
> ports. i have 2 mail servers (unit1.domain.com and unit2.domain.com)
> running on the protected network, unit1.domain.com is just an smtp
> relay for unit2.domain.com and its working fine. however, i want to
> put a rule (port forward) in firewall to forward request destined to
> unit2.domain.com (port 25), but that request should be first passed to
> unit1.domain.com (for antispam processing) before unit2. unit1 should
> then be the one to forward the request to unit2.domain.com.
> 
> why i want to do this is that, some mails are getting through and
> received at unit2 without passing to unit1. in mx, unit1 is the 1st
> prio and unit2 is 2nd prio only.
> 
> please help and give an idea on port forwarding rules between two
> servers within the protected network.
> 
> thank you!
> 
> edison cala

I think this would normally be handled using a 'fwd' rule (man ipfw),
but the manpage specifically states:

"A fwd rule will not match layer-2 packets (those received on
ether_input, ether_output, or bridged)."

So, I'm not sure how you could implement this when using ipfw on a
bridged interface.

Nathan
-- 
gpg --keyserver pgp.mit.edu --recv-keys D8527E49
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040225/79fda45a/attachment.bin