Date: Fri, 19 Mar 2004 07:31:12 -0000 From: Thomas Wolf <tw@wsf.at> To: ktulu@net2000.com.au, freebsd-ipfw@freebsd.org Subject: Re: port forwarding and ipfw rules Message-ID: <20040319083112.1q3zyahmb90kw@.mailhost.wsf.at>
next in thread | raw e-mail | index | archive | help
ktulu@net2000.com.au schrieb:
>
> Basically, what I've done to try and add the other configuration to this box is
> as follows:
>
> 1. Add the aliased IP to fxp1:
> ifconfig fxp1 inet xxx.xxx.19.111 netmask 255.255.255.255 alias
>
> 2. Start the additional natd daemon:
> /sbin/natd -same_ports -use_sockets -port 8669 -alias_address xxx.xxx.19.111
> -redirect_port tcp xxx.xxx.19.102:443 xxx.xxx.19.111:443
>
> 3. Change the ipfw rules to allow this new configuration through. This is
> basically the same as the firewall rules above, but each entry is doubled, where
> ${ip} becomes ${fail_ip}. In addition to this, another rule is entered in the
> "natd_enable" section to divert the new natd:
> case ${natd_enable} in
> [Yy][Ee][Ss])
> if [ -n "${natd_interface}" ]; then
> ${fwcmd} add 50 divert natd all from any to any via
> ${natd_interface}
> ${fwcmd} add 50 divert ${fail_natd} all from any to any via ${natd_interface}
> fi
> ;;
> esac
>
>
> Once I've added this, this port forwarding on xxx.xxx.19.110 still works, but
> the port forwarding on the aliased IP (xxx.xxx.19.111) doesn't!
I think your second divert rule will never be reached because
natd re-inserts the packets at the next rule-no *higher* than
the rule which diverted (check the counters on rule 50). Perhaps
just changing the second divert rule to 55 will do the trick.
Thomas
--
Thomas Wolf
Wiener Software Fabrik
Dubas u. Wolf GMBH
1050 Wien, Mittersteig 4
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040319083112.1q3zyahmb90kw>