Date: Mon, 15 Sep 2003 14:38:17 +0200 (CDT) From: "Martin Bartelds" <bts@iae.nl> To: "ipfw@freebsd.org" <ipfw@freebsd.org> Subject: IPFW/routing wishes Message-ID: <200309151438.1937858.6@btsoftware.com>
next in thread | raw e-mail | index | archive | help
What I do seriously mis in FreeBSD, is the possibilty to have NATD active on more then 1 network address/card and do packet routing based on packet information. For example: All external network interfaces X and Y serving their own requests, routing all trafic from the firewall's system to interface X and all other trafic (ie from the internal network) to interface Y. The Activition mechanism (the rules) of IPFW and NATD seem to be integrated with the actual firewall. Understandable, because once matching has been done, the FW rule can be applied easily. Activation of NATD handling is done with the divert as a result of the matching mechanism. Running 2 NATD's is possible, but ends up with the wrong "source" address in the packets supposed to go to one of the cards. IE one NATD works fine, the other creates packets with the wrong source address going to the wrong outgoing network card (and as such have conflicts with the firewall rules, apart from going to the wrong card and as such abusing the ISP). I would like to see an option "REROUTE", where I do have the opportunity to change source address and destination network card. Subsequent wish would be to have some sort of an option to manipulate the REROUTE effect based on load and/or line availability. But that's much less important (for the moment). What I'm not looking for: - The option to keep a TCP connection up once it has been established. If an external link fails, the connection may be dropped. No problem. - A real dual link, where packets for 1 TCP connection are send out over two external links. Much harder to implement and keep ISP's happy about strange IP addresses coming out of their network. Why am I interrested in this REROUTE option ? Many (smaller) companies and/or individuals do have NATD running for both protection and serving the internal network. More and more, this user group is having MULTIPLE external (low cost ADSL and/or cable) connections for performance and fallback strategies. Until now, FreeBSD is not capable to handle this properly. :-(( I have been looking at the FreeBSD source code and noticed it "could" be done by the firewall code. But that would be (programmers wise) an ugly way to do this, because it would require changing data global to the firewall selection/handling routines context. Opinions ? Martin.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200309151438.1937858.6>