From owner-freebsd-ipfw@FreeBSD.ORG Tue Jan 16 19:26:48 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id C999216A407 for ; Tue, 16 Jan 2007 19:26:48 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out4.apple.com (mail-out4.apple.com [17.254.13.23]) by mx1.freebsd.org (Postfix) with ESMTP id B287E13C465 for ; Tue, 16 Jan 2007 19:26:48 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay6.apple.com (a17-128-113-36.apple.com [17.128.113.36]) by mail-out4.apple.com (8.13.8/8.13.8) with ESMTP id l0GILX5H025691; Tue, 16 Jan 2007 10:21:33 -0800 (PST) Received: from relay6.apple.com (unknown [127.0.0.1]) by relay6.apple.com (Symantec Mail Security) with ESMTP id C21B61009A; Tue, 16 Jan 2007 10:21:33 -0800 (PST) X-AuditID: 11807124-a44eebb000006d75-0e-45ad17adf52e Received: from [17.214.13.96] (unknown [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay6.apple.com (Apple SCV relay) with ESMTP id AD67810085; Tue, 16 Jan 2007 10:21:33 -0800 (PST) In-Reply-To: <20070116162113.GA29639@crosswinds.net> References: <20070116162113.GA29639@crosswinds.net> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Tue, 16 Jan 2007 10:21:33 -0800 To: Tony Holmes X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-ipfw@freebsd.org Subject: Re: Forwarding with Packet Rewriting X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Jan 2007 19:26:48 -0000 On Jan 16, 2007, at 8:21 AM, Tony Holmes wrote: > I have a freebsd 4.11 firewall with ipfw and divert/natd in it. > > All I want to do is rewrite packets destined to IP a.b.c.d 25 to > IP a.b.c.e 25 and rewrite them on the way out. a.b.c.d and a.b.c.e > are not on the local machines - but are on the local subnets. If you are dealing with external connections to a.b.c.d which pass through the router running IPFW & natd, then you want to use the redirect_address directive (see "man natd"). If a.b.c isn't one of the RFC-1918 unroutable subnets, but a normal routable IP, you'll have to also toggle the unregistered_only option. On the other hand, if you are trying to deal with subnet-local traffic which does not need to pass through the IPFW/natd router, then you'll either need to use ICMP redirects to indicate that traffic to the old IP should go to the new IP (if you are not using the old IP anymore and no machine will go there until you fix whatever uses the old IP to use the new IP instead). If you have machines at both a.b.c.d & a.b.c.e *and* a.b.c.d is not running anything on port 25, you can use SSH port forwarding, netcat, or something like the plug-gw port forwarding mechanisms to forward the traffic over. If you have machines at both a.b.c.d & a.b.c.e and both are listening on port 25, and the traffic is local, then I don't know of any solution short of changing the callers to use the new IP. -- -Chuck