From owner-freebsd-ipfw@FreeBSD.ORG Thu Mar 18 23:34:03 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 895CA16A4CE for ; Thu, 18 Mar 2004 23:34:03 -0800 (PST) Received: from mailhost.wsf.at (server202.serveroffice.com [217.196.72.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44BB143D39 for ; Thu, 18 Mar 2004 23:34:02 -0800 (PST) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (root@localhost)i2J7VF71003286 for ; Fri, 19 Mar 2004 08:31:15 +0100 (CET) (envelope-from tw@wsf.at) Received: from mailhost.wsf.at (http.wsf.at [217.196.72.203]) i2J7VCqY003278; Fri, 19 Mar 2004 08:31:12 +0100 (CET) (envelope-from tw@wsf.at) Date: Fri, 19 Mar 2004 07:31:12 -0000 To: ktulu@net2000.com.au, freebsd-ipfw@freebsd.org From: Thomas Wolf X-Mailer: twiggi 1.10.3 Message-ID: <20040319083112.1q3zyahmb90kw@.mailhost.wsf.at> MIME-Version: 1.0 Content-Disposition: inline Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: port forwarding and ipfw rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: tw@wsf.at List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Mar 2004 07:34:03 -0000 ktulu@net2000.com.au schrieb: > > Basically, what I've done to try and add the other configuration to this box is > as follows: > > 1. Add the aliased IP to fxp1: > ifconfig fxp1 inet xxx.xxx.19.111 netmask 255.255.255.255 alias > > 2. Start the additional natd daemon: > /sbin/natd -same_ports -use_sockets -port 8669 -alias_address xxx.xxx.19.111 > -redirect_port tcp xxx.xxx.19.102:443 xxx.xxx.19.111:443 > > 3. Change the ipfw rules to allow this new configuration through. This is > basically the same as the firewall rules above, but each entry is doubled, where > ${ip} becomes ${fail_ip}. In addition to this, another rule is entered in the > "natd_enable" section to divert the new natd: > case ${natd_enable} in > [Yy][Ee][Ss]) > if [ -n "${natd_interface}" ]; then > ${fwcmd} add 50 divert natd all from any to any via > ${natd_interface} > ${fwcmd} add 50 divert ${fail_natd} all from any to any via ${natd_interface} > fi > ;; > esac > > > Once I've added this, this port forwarding on xxx.xxx.19.110 still works, but > the port forwarding on the aliased IP (xxx.xxx.19.111) doesn't! I think your second divert rule will never be reached because natd re-inserts the packets at the next rule-no *higher* than the rule which diverted (check the counters on rule 50). Perhaps just changing the second divert rule to 55 will do the trick. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4