From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 30 11:08:23 2007 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6355B16A494 for ; Mon, 30 Jul 2007 11:08:23 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4788413C457 for ; Mon, 30 Jul 2007 11:08:23 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l6UB8Nm0040640 for ; Mon, 30 Jul 2007 11:08:23 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l6UB8LvV040636 for freebsd-ipfw@FreeBSD.org; Mon, 30 Jul 2007 11:08:22 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 30 Jul 2007 11:08:22 GMT Message-Id: <200707301108.l6UB8LvV040636@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Jul 2007 11:08:23 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw ipfw is seems to be broken to limit number of connecti 13 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci 24 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 2 06:23:14 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BCE7F16A41A for ; Thu, 2 Aug 2007 06:23:14 +0000 (UTC) (envelope-from danny@dannysplace.net) Received: from mail.dannysplace.net (mail.dannysplace.net [213.133.54.210]) by mx1.freebsd.org (Postfix) with ESMTP id 7CB9F13C45E for ; Thu, 2 Aug 2007 06:23:14 +0000 (UTC) (envelope-from danny@dannysplace.net) Received: from 124-171-210-201.dyn.iinet.net.au ([124.171.210.201] helo=[192.168.10.2]) by mail.dannysplace.net with esmtpa (Exim 4.62 (FreeBSD)) (envelope-from ) id 1IGTVW-000AxQ-Ga for freebsd-ipfw@freebsd.org; Thu, 02 Aug 2007 15:46:02 +1000 Message-ID: <46B170F0.3020702@dannysplace.net> Date: Thu, 02 Aug 2007 15:51:44 +1000 From: Danny Carroll User-Agent: Thunderbird 1.5.0.12 (Windows/20070509) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 124.171.210.201 X-SA-Exim-Mail-From: danny@dannysplace.net X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on ferrari.dannysplace.net X-Spam-Level: X-Spam-Status: No, score=0.2 required=8.0 tests=ALL_TRUSTED,AWL, DKIM_POLICY_SIGNSOME,TVD_RCVD_IP autolearn=disabled version=3.2.1 X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on mail.dannysplace.net) Subject: IPFW Mac filter confusion. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 06:23:14 -0000 Hello, I am trying to deny traffic based on MAC address. My freebsd (6.2) box is acting as a gateway. The wireless clients connect on ath0 and the wired network is connected on fxp0. Default route is vi fax0 to the internet gateway. Arp table is: freebsd# arp -a ? (10.0.249.254) at 00:12:6f:11:22:25 on ath0 [ethernet] ? (192.168.10.1) at 00:02:e2:d0:6b:a1 on fxp0 [ethernet] 192.168.10.1 is the gateway and 10.0.249.254 is the host I wish to prohibit. Here are my rules. freebsd# ipfw list 00050 deny ip from any to any MAC 00:12:6f:11:22:25 any 00050 deny ip from any to any MAC any 00:12:6f:11:22:25 65535 allow ip from any to any If I add rules such as: 00050 deny ip from 10.0.249.254 to any 00050 deny ip from any to 10.0.249.254 Then the firewall works as I would expect. I think I must be misunderstanding how the MAC option to ipfw works. The man page is not terribly helpful so I was wondering if someone can enlighten me. -Danny From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 2 07:41:01 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F18D616A419 for ; Thu, 2 Aug 2007 07:41:01 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp1.yandex.ru (smtp1.yandex.ru [213.180.223.87]) by mx1.freebsd.org (Postfix) with ESMTP id 2B5C213C4E7 for ; Thu, 2 Aug 2007 07:41:00 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from mail.kirov.so-cdu.ru ([77.72.136.145]:24565 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: "DHE-RSA-AES256-SHA keybits 256/256 version TLSv1/SSLv3" TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S8372704AbXHBH0t (ORCPT ); Thu, 2 Aug 2007 11:26:49 +0400 X-Comment: RFC 2476 MSA function at smtp1.yandex.ru logged sender identity as: bu7cher Message-ID: <46B18737.5070102@yandex.ru> Date: Thu, 02 Aug 2007 11:26:47 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: Danny Carroll References: <46B170F0.3020702@dannysplace.net> In-Reply-To: <46B170F0.3020702@dannysplace.net> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW Mac filter confusion. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 07:41:02 -0000 Danny Carroll wrote: > I think I must be misunderstanding how the MAC option to ipfw works. > The man page is not terribly helpful so I was wondering if someone can > enlighten me. From ipfw(8): net.link.ether.ipfw: 0 Controls whether layer-2 packets are passed to ipfw. Default is no. Do you change this option to 1? -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 2 12:47:47 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 495DD16A417 for ; Thu, 2 Aug 2007 12:47:47 +0000 (UTC) (envelope-from danny@dannysplace.net) Received: from mail.dannysplace.net (mail.dannysplace.net [213.133.54.210]) by mx1.freebsd.org (Postfix) with ESMTP id 0A07F13C481 for ; Thu, 2 Aug 2007 12:47:47 +0000 (UTC) (envelope-from danny@dannysplace.net) Received: from 124-171-210-201.dyn.iinet.net.au ([124.171.210.201] helo=[192.168.10.2]) by mail.dannysplace.net with esmtpa (Exim 4.62 (FreeBSD)) (envelope-from ) id 1IGZzu-000F7B-VY for freebsd-ipfw@freebsd.org; Thu, 02 Aug 2007 22:41:54 +1000 Message-ID: <46B1D261.4050907@dannysplace.net> Date: Thu, 02 Aug 2007 22:47:29 +1000 From: Danny Carroll User-Agent: Thunderbird 1.5.0.12 (Windows/20070509) MIME-Version: 1.0 CC: freebsd-ipfw@freebsd.org References: <46B170F0.3020702@dannysplace.net> <46B18737.5070102@yandex.ru> In-Reply-To: <46B18737.5070102@yandex.ru> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 7bit X-SA-Exim-Connect-IP: 124.171.210.201 X-SA-Exim-Mail-From: danny@dannysplace.net X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on ferrari.dannysplace.net X-Spam-Level: * X-Spam-Status: No, score=1.6 required=8.0 tests=ALL_TRUSTED,AWL, DKIM_POLICY_SIGNSOME,MISSING_HEADERS,TVD_RCVD_IP autolearn=disabled version=3.2.1 X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on mail.dannysplace.net) Subject: Re: IPFW Mac filter confusion. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 12:47:47 -0000 Andrey V. Elsukov wrote: > From ipfw(8): > net.link.ether.ipfw: 0 > Controls whether layer-2 packets are passed to ipfw. Default is no. > > Do you change this option to 1? Missed that bit. I did not read the packet flow part, just toe format of the MAC option. It is now enabled and working as described... -D From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 2 18:51:57 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B41E316A420 for ; Thu, 2 Aug 2007 18:51:57 +0000 (UTC) (envelope-from gabriele@sssup.it) Received: from sssup.it (ms01.sssup.it [193.205.80.99]) by mx1.freebsd.org (Postfix) with ESMTP id 42EFF13C461 for ; Thu, 2 Aug 2007 18:51:57 +0000 (UTC) (envelope-from gabriele@sssup.it) Received: from [193.205.82.25] (HELO [127.0.0.1]) by sssup.it (CommuniGate Pro SMTP 4.1.8) with ESMTP-TLS id 32505232; Thu, 02 Aug 2007 19:42:31 +0200 Message-ID: <46B219B9.2060706@sssup.it> Date: Thu, 02 Aug 2007 19:51:53 +0200 From: Gabriele Cecchetti User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org, Luigi Rizzo Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: ipfw natd and carp for redundant server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 18:51:57 -0000 Hi! I had setup the following network: |- ServerF2 (if_wan0: 0x.y.z.2) Internet_Router|---| (if_carp0: x.y.z.6) | |- ServerF3 (if_wan0: x.y.z.3) | |------ServerG (if_lan0: 10.30.3.x) Server F2 and F3 have a carp interface configured for (high) avaibility, with address x.y.z.6 Server F2 and F3 have a Web server which listen on port 80. I need to reach some services of internal servel from outside network (es. ssh, cvs, etc.) What I have done in /etc/ipfw.rules: (It is not a secure configuration! Just to the test what I need!) # flush # # Setup loopback # add 100 pass all from any to any via lo0 add 200 deny all from any to 127.0.0.0/8 add 300 deny ip from 127.0.0.0/8 to any # # Allow important services through unmodified address and ports # add 900 allow tcp from any to any 80,443 # # Divert # add 1100 divert natd ip4 from any to any via wan0 # # Default: allow everything # add 65000 allow ip from any to any and for /etc/natd.conf # interface wan0 same_ports use_sockets log # # Server G # redirect_port tcp 10.30.3.4:22 44022 redirect_port tcp 10.30.3.4:993 44993 redirect_port tcp 10.30.3.4:2401 2401 redirect_port tcp 10.30.3.4:9418 9418 ###################################### With this configuration I reach the serverG from Internet just if I use the address x.y.z.2 (or x.y.z.3 which is a clone of the .2 machine). I would like to reach the serverG with the address x.y.z.6 which is the common redundant address. Any idea or suggestion ? From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 2 23:34:07 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C6F0016A417 for ; Thu, 2 Aug 2007 23:34:07 +0000 (UTC) (envelope-from rudal999@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.185]) by mx1.freebsd.org (Postfix) with ESMTP id A2EB513C465 for ; Thu, 2 Aug 2007 23:34:07 +0000 (UTC) (envelope-from rudal999@gmail.com) Received: by rv-out-0910.google.com with SMTP id f1so445836rvb for ; Thu, 02 Aug 2007 16:34:07 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=tzfYdndsdSOGlAu5+JgoG+ybSWya/pWtBTosWkiqG/a18HOiY4Rtq3K7UJajwOb579dgDipTx+hsxJ4ttq0qY/4Tp/x5yUzfl/LU9tgLRvnzgV/8Q78RihSu5LWVR3qCk8Pr1T4PgEgZxe+P4NzOelKytLcydsSpEnPX/2LHrIE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=LCmVxyq1SDX72I23rpmFzKqqS8OlVNzwonIVaFrYfNLGU1gAv8DsPcD3M6ybX7klkFRTRebLCBf6L2VJEDZd07M4nUj/cBN/M9pNWBKtOAE0z/2+B2L1Qar/aVenAg/Wb0NGP2wfI0N8SUzeglxYj5q5N/D0uIZtgMG8B2gPVo8= Received: by 10.142.114.15 with SMTP id m15mr107926wfc.1186096011971; Thu, 02 Aug 2007 16:06:51 -0700 (PDT) Received: by 10.143.3.6 with HTTP; Thu, 2 Aug 2007 16:06:51 -0700 (PDT) Message-ID: <8b24e4de0708021606h5bbee266xb3a4814962d26643@mail.gmail.com> Date: Thu, 2 Aug 2007 16:06:51 -0700 From: "Rudy Setiawan" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: redirect traffic based on destination port to another interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 23:34:07 -0000 Hi, I am trying to do a traffic redirection based on destination port to another interface/gateway. Currently, I have a freebsd box that does simple NAT and an Internet connection. I am planning to install another internet connection and use the same box to do some traffic redirection. INTERNET1 -------- freebsd box ------- INTERNET2 | | Local Area Network LAN = 192.168.10.0/24 with interface em0 INTERNET1-GW = x.x.x.1 with em1 INTERNET2-GW = y.y.y.1 with rl0 My goal is to redirect any ssh traffic to INTERNET2-GW and I assume that if it can be redirected through INTERNET2-GW then the packets return will go through INTERNET2-GW also. Is it possible to do that way with ipfw or natd? Thank you Regards, Rudy -- +++++++++ http://foodblog.rudal.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 3 01:14:38 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF2E216A417 for ; Fri, 3 Aug 2007 01:14:38 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outI.internet-mail-service.net (outI.internet-mail-service.net [216.240.47.232]) by mx1.freebsd.org (Postfix) with ESMTP id B726713C45D for ; Fri, 3 Aug 2007 01:14:38 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Thu, 02 Aug 2007 18:14:38 -0700 Received: from julian-mac.elischer.org (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id 5BD17125A25; Thu, 2 Aug 2007 18:14:37 -0700 (PDT) Message-ID: <46B2817C.6010609@elischer.org> Date: Thu, 02 Aug 2007 18:14:36 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: Rudy Setiawan References: <8b24e4de0708021606h5bbee266xb3a4814962d26643@mail.gmail.com> In-Reply-To: <8b24e4de0708021606h5bbee266xb3a4814962d26643@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: redirect traffic based on destination port to another interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 01:14:38 -0000 Rudy Setiawan wrote: > Hi, > > I am trying to do a traffic redirection based on destination port to > another interface/gateway. > Currently, I have a freebsd box that does simple NAT and an Internet connection. > I am planning to install another internet connection and use the same > box to do some traffic redirection. > > > INTERNET1 -------- freebsd box ------- INTERNET2 > | > | > Local Area Network > > LAN = 192.168.10.0/24 with interface em0 > INTERNET1-GW = x.x.x.1 with em1 > INTERNET2-GW = y.y.y.1 with rl0 > > My goal is to redirect any ssh traffic to INTERNET2-GW and I assume > that if it can be redirected through INTERNET2-GW then the packets > return will go through INTERNET2-GW also. > no, unless you first NAT the packets with the address of that interface. (otherwise the packets will come back through your primary network). if yo have cheep dlink or linksys or whatever DSL routers or whatever with NAT on them then you can use that successfully and just use ipfw 'fwd' rules to select the interface to use. > Is it possible to do that way with ipfw or natd? yes but you need both forwarding and nat.. > > Thank you > > Regards, > Rudy > > From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 3 18:20:35 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A479216A417 for ; Fri, 3 Aug 2007 18:20:35 +0000 (UTC) (envelope-from rudal999@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.185]) by mx1.freebsd.org (Postfix) with ESMTP id 517C413C442 for ; Fri, 3 Aug 2007 18:20:35 +0000 (UTC) (envelope-from rudal999@gmail.com) Received: by rv-out-0910.google.com with SMTP id f1so616078rvb for ; Fri, 03 Aug 2007 11:20:35 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qAmZvL+JE2Z10rk8gNyB2aWTUMRcMxE8OhhXWLDYKqQB9d4ci8rHpOc0hm3q6ALl0D+AwLp4dlXfrXtkrNWUnpphFBzkaSHsqECWcpF2XD4Km6+tWqiFcDMqAUP6MgmF+NxhPbp/wGlbZCFlVBzqYcizN3DpaNG+0pJJbMs05ss= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=uU6YeTxZgGzyKIY+jgV8fklcFhsuX8O6O/F4eYRmj1b0ux+aOgUhP8A/ylm0c0aDrKg5+cL6SUEzlh+Q+PFv8/TMzGgg79mppmAn9LeUn7ubw6oNAkoYR+dshsHPMVlNLBn/yhWNnL8MGrfYF3Qb8VpH20D1A6iaNaezWPIl2yg= Received: by 10.143.161.3 with SMTP id n3mr146468wfo.1186165234472; Fri, 03 Aug 2007 11:20:34 -0700 (PDT) Received: by 10.143.3.6 with HTTP; Fri, 3 Aug 2007 11:20:34 -0700 (PDT) Message-ID: <8b24e4de0708031120n210f97ebj3f992ad7a757075e@mail.gmail.com> Date: Fri, 3 Aug 2007 11:20:34 -0700 From: "Rudy Setiawan" To: "Julian Elischer" In-Reply-To: <46B2817C.6010609@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8b24e4de0708021606h5bbee266xb3a4814962d26643@mail.gmail.com> <46B2817C.6010609@elischer.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: redirect traffic based on destination port to another interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 18:20:35 -0000 On 8/2/07, Julian Elischer wrote: > Rudy Setiawan wrote: > > Hi, > > > > I am trying to do a traffic redirection based on destination port to > > another interface/gateway. > > Currently, I have a freebsd box that does simple NAT and an Internet connection. > > I am planning to install another internet connection and use the same > > box to do some traffic redirection. > > > > > > INTERNET1 -------- freebsd box ------- INTERNET2 > > | > > | > > Local Area Network > > > > LAN = 192.168.10.0/24 with interface em0 > > INTERNET1-GW = x.x.x.1 with em1 > > INTERNET2-GW = y.y.y.1 with rl0 > > > > My goal is to redirect any ssh traffic to INTERNET2-GW and I assume > > that if it can be redirected through INTERNET2-GW then the packets > > return will go through INTERNET2-GW also. > > > > no, unless you first NAT the packets with the address of that interface. > (otherwise the packets will come back through your primary network). > if yo have cheep dlink or linksys or whatever DSL routers or whatever with NAT > on them then you can use that successfully and just use ipfw 'fwd' rules to select the interface to use. I see, hmm are you suggesting that the linksys should be placed between the freebsd firewall and the internet? Then do a ipfw fwd rules to in freebsd to select which interface to go and linksys will do all the NAT-ing for those packets respectiveily right? Thank you. Regards, Rudy -- +++++++++ http://foodblog.rudal.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 3 20:20:39 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E760616A419 for ; Fri, 3 Aug 2007 20:20:39 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outO.internet-mail-service.net (outO.internet-mail-service.net [216.240.47.238]) by mx1.freebsd.org (Postfix) with ESMTP id DCE8F13C469 for ; Fri, 3 Aug 2007 20:20:39 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Fri, 03 Aug 2007 13:20:39 -0700 Received: from julian-mac.elischer.org (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id B5352125A23; Fri, 3 Aug 2007 13:20:38 -0700 (PDT) Message-ID: <46B38E16.3030001@elischer.org> Date: Fri, 03 Aug 2007 13:20:38 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: Rudy Setiawan References: <8b24e4de0708021606h5bbee266xb3a4814962d26643@mail.gmail.com> <46B2817C.6010609@elischer.org> <8b24e4de0708031120n210f97ebj3f992ad7a757075e@mail.gmail.com> In-Reply-To: <8b24e4de0708031120n210f97ebj3f992ad7a757075e@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: redirect traffic based on destination port to another interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 20:20:40 -0000 Rudy Setiawan wrote: > On 8/2/07, Julian Elischer wrote: >> Rudy Setiawan wrote: >>> Hi, >>> >>> I am trying to do a traffic redirection based on destination port to >>> another interface/gateway. >>> Currently, I have a freebsd box that does simple NAT and an Internet connection. >>> I am planning to install another internet connection and use the same >>> box to do some traffic redirection. >>> >>> >>> INTERNET1 -------- freebsd box ------- INTERNET2 >>> | >>> | >>> Local Area Network >>> >>> LAN = 192.168.10.0/24 with interface em0 >>> INTERNET1-GW = x.x.x.1 with em1 >>> INTERNET2-GW = y.y.y.1 with rl0 >>> >>> My goal is to redirect any ssh traffic to INTERNET2-GW and I assume >>> that if it can be redirected through INTERNET2-GW then the packets >>> return will go through INTERNET2-GW also. >>> >> no, unless you first NAT the packets with the address of that interface. >> (otherwise the packets will come back through your primary network). >> if yo have cheep dlink or linksys or whatever DSL routers or whatever with NAT >> on them then you can use that successfully and just use ipfw 'fwd' rules to select the interface to use. > > I see, hmm are you suggesting that the linksys should be placed > between the freebsd firewall and the internet? Then do a ipfw fwd > rules to in freebsd to select which interface to go and linksys will > do all the NAT-ing for those packets respectiveily right? exactly > > Thank you. > > Regards, > Rudy From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 3 22:07:59 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F8EE16A41B for ; Fri, 3 Aug 2007 22:07:59 +0000 (UTC) (envelope-from rudal999@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.184]) by mx1.freebsd.org (Postfix) with ESMTP id 39A7B13C442 for ; Fri, 3 Aug 2007 22:07:59 +0000 (UTC) (envelope-from rudal999@gmail.com) Received: by rv-out-0910.google.com with SMTP id f1so652554rvb for ; Fri, 03 Aug 2007 15:07:58 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=K+ywQrS93xsBonWTb6Zi2eC9zFytYHd9wT5NkQeVS39f26T0jRoP9NarfnPHvuhe3RdCPtlEL4SB/xV7dCVBuBMp9bMNEaORyaf2ZOD02FCoHp55C859U0eENy+cZfAilwo0df40gWGVznXLWlZW7w6xmmze6qI4Ol9ohch/BR8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=rx9z3sLEWF0j0GKI7AVKficaRr5lDp6FrOEsmFy1WPB7toeONDOikx4XUkO4bnH7c3gumGbUXjuZ1Z6C3eTZZOAO4n6uIWta3vVCCoZ6jWyVENARf8YYUq8TDzxzr1UQ/tte+8U99Ex8DBDFHMZiyidltSdO1ksrR+4pauolVTc= Received: by 10.143.162.8 with SMTP id p8mr152827wfo.1186178878411; Fri, 03 Aug 2007 15:07:58 -0700 (PDT) Received: by 10.143.3.6 with HTTP; Fri, 3 Aug 2007 15:07:58 -0700 (PDT) Message-ID: <8b24e4de0708031507y69944e53raefe86e6cba63345@mail.gmail.com> Date: Fri, 3 Aug 2007 15:07:58 -0700 From: "Rudy Setiawan" To: "Julian Elischer" In-Reply-To: <46B38E16.3030001@elischer.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <8b24e4de0708021606h5bbee266xb3a4814962d26643@mail.gmail.com> <46B2817C.6010609@elischer.org> <8b24e4de0708031120n210f97ebj3f992ad7a757075e@mail.gmail.com> <46B38E16.3030001@elischer.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: redirect traffic based on destination port to another interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 22:07:59 -0000 can you run two instances of natd? Thank you. Regards, Rudy On 8/3/07, Julian Elischer wrote: > Rudy Setiawan wrote: > > On 8/2/07, Julian Elischer wrote: > >> Rudy Setiawan wrote: > >>> Hi, > >>> > >>> I am trying to do a traffic redirection based on destination port to > >>> another interface/gateway. > >>> Currently, I have a freebsd box that does simple NAT and an Internet connection. > >>> I am planning to install another internet connection and use the same > >>> box to do some traffic redirection. > >>> > >>> > >>> INTERNET1 -------- freebsd box ------- INTERNET2 > >>> | > >>> | > >>> Local Area Network > >>> > >>> LAN = 192.168.10.0/24 with interface em0 > >>> INTERNET1-GW = x.x.x.1 with em1 > >>> INTERNET2-GW = y.y.y.1 with rl0 > >>> > >>> My goal is to redirect any ssh traffic to INTERNET2-GW and I assume > >>> that if it can be redirected through INTERNET2-GW then the packets > >>> return will go through INTERNET2-GW also. > >>> > >> no, unless you first NAT the packets with the address of that interface. > >> (otherwise the packets will come back through your primary network). > >> if yo have cheep dlink or linksys or whatever DSL routers or whatever with NAT > >> on them then you can use that successfully and just use ipfw 'fwd' rules to select the interface to use. > > > > I see, hmm are you suggesting that the linksys should be placed > > between the freebsd firewall and the internet? Then do a ipfw fwd > > rules to in freebsd to select which interface to go and linksys will > > do all the NAT-ing for those packets respectiveily right? > > exactly > > > > > Thank you. > > > > Regards, > > Rudy > > -- +++++++++ http://foodblog.rudal.com From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 3 22:40:44 2007 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46A9916A418; Fri, 3 Aug 2007 22:40:44 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 325E013C457; Fri, 3 Aug 2007 22:40:44 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.1/8.14.1) with ESMTP id l73MehDd078992; Fri, 3 Aug 2007 22:40:43 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.1/8.14.1/Submit) id l73Mehpx078988; Fri, 3 Aug 2007 22:40:43 GMT (envelope-from linimon) Date: Fri, 3 Aug 2007 22:40:43 GMT Message-Id: <200708032240.l73Mehpx078988@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: bin/115172: [patch] ipfw(8) list show some rules with a wrong format X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 22:40:44 -0000 Synopsis: [patch] ipfw(8) list show some rules with a wrong format Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Fri Aug 3 22:40:33 UTC 2007 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=115172 From owner-freebsd-ipfw@FreeBSD.ORG Fri Aug 3 23:49:09 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35B0B16A41B for ; Fri, 3 Aug 2007 23:49:09 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outW.internet-mail-service.net (outW.internet-mail-service.net [216.240.47.246]) by mx1.freebsd.org (Postfix) with ESMTP id 2A65A13C4A8 for ; Fri, 3 Aug 2007 23:49:09 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.40) with ESMTP; Fri, 03 Aug 2007 16:49:08 -0700 Received: from julian-mac.elischer.org (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id 0A454125AEB; Fri, 3 Aug 2007 16:49:08 -0700 (PDT) Message-ID: <46B3BEF3.3030606@elischer.org> Date: Fri, 03 Aug 2007 16:49:07 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070728) MIME-Version: 1.0 To: Rudy Setiawan References: <8b24e4de0708021606h5bbee266xb3a4814962d26643@mail.gmail.com> <46B2817C.6010609@elischer.org> <8b24e4de0708031120n210f97ebj3f992ad7a757075e@mail.gmail.com> <46B38E16.3030001@elischer.org> <8b24e4de0708031507y69944e53raefe86e6cba63345@mail.gmail.com> In-Reply-To: <8b24e4de0708031507y69944e53raefe86e6cba63345@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: redirect traffic based on destination port to another interface X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2007 23:49:09 -0000 Rudy Setiawan wrote: > can you run two instances of natd? yes. you can even get natd to run two separate translation sets but I hav enever done it. (phk added code to allow that some time ago I believe) of course you don't need that if you have NAT devices on each link anyway. ($40 each..) > > Thank you. > > Regards, > Rudy > > > On 8/3/07, Julian Elischer wrote: >> Rudy Setiawan wrote: >>> On 8/2/07, Julian Elischer wrote: >>>> Rudy Setiawan wrote: >>>>> Hi, >>>>> >>>>> I am trying to do a traffic redirection based on destination port to >>>>> another interface/gateway. >>>>> Currently, I have a freebsd box that does simple NAT and an Internet connection. >>>>> I am planning to install another internet connection and use the same >>>>> box to do some traffic redirection. >>>>> >>>>> >>>>> INTERNET1 -------- freebsd box ------- INTERNET2 >>>>> | >>>>> | >>>>> Local Area Network >>>>> >>>>> LAN = 192.168.10.0/24 with interface em0 >>>>> INTERNET1-GW = x.x.x.1 with em1 >>>>> INTERNET2-GW = y.y.y.1 with rl0 >>>>> >>>>> My goal is to redirect any ssh traffic to INTERNET2-GW and I assume >>>>> that if it can be redirected through INTERNET2-GW then the packets >>>>> return will go through INTERNET2-GW also. >>>>> >>>> no, unless you first NAT the packets with the address of that interface. >>>> (otherwise the packets will come back through your primary network). >>>> if yo have cheep dlink or linksys or whatever DSL routers or whatever with NAT >>>> on them then you can use that successfully and just use ipfw 'fwd' rules to select the interface to use. >>> I see, hmm are you suggesting that the linksys should be placed >>> between the freebsd firewall and the internet? Then do a ipfw fwd >>> rules to in freebsd to select which interface to go and linksys will >>> do all the NAT-ing for those packets respectiveily right? >> exactly >> >>> Thank you. >>> >>> Regards, >>> Rudy >> > >