From owner-freebsd-ipfw@FreeBSD.ORG Mon Mar 13 11:43:53 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E2DB16A420 for ; Mon, 13 Mar 2006 11:43:52 +0000 (UTC) (envelope-from xvga@mail.ru) Received: from mx7.mail.ru (mx7.mail.ru [194.67.23.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30A4E43D45 for ; Mon, 13 Mar 2006 11:43:52 +0000 (GMT) (envelope-from xvga@mail.ru) Received: from [212.42.113.202] (port=59681 helo=vga.osce-academy.local) by mx7.mail.ru with asmtp id 1FIlSn-000LOz-00 for freebsd-ipfw@freebsd.org; Mon, 13 Mar 2006 14:43:50 +0300 Date: Mon, 13 Mar 2006 17:43:44 +0600 From: Vladimir Grigor X-Priority: 3 (Normal) Message-ID: <1014435727.20060313174344@mail.ru> To: freebsd-ipfw@freebsd.org In-Reply-To: <1438179712.20060310114356@mail.ru> References: <1438179712.20060310114356@mail.ru> Content-Transfer-Encoding: 7bit MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw2(stateful)+divert; why divert rule is ignored? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Grigor List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2006 11:43:53 -0000 FreeBSD 5.4 Specifically, I can't figure out why rule 3800 is ignored... :confused: If you have idea - just give clue abt it.... Thanks... Regular NAT is working properly, but I can't configure NAPT to services on server in LAN.... Interface to LAN is also untrusted -that's why so many details in config... tun0 - interface to Internet vr1 - interface to LAN 212.42.xxx.xxx - my external IP some relevant firewall rules [#ipfw -de sh] [CODE] 03800 0 0 divert 6893 log logamount 100 tcp from 192.168.0.1 80 to any out via tun0 04000 0 0 check-state 04400 0 0 allow log logamount 100 tcp from 212.42.xxx.xxx 80 to any out via tun0 04700 25 1554 divert 6893 log logamount 100 tcp from any to 212.42.xxx.xxx dst-port 80 in via tun0 05000 150 6816 allow log logamount 100 tcp from any to 192.168.0.1 dst-port 80 in via tun0 setup keep-state ## Dynamic rules (14): 05000 17 768 (0s) STATE tcp 212.112.117.70 1212 <-> 192.168.0.1 80 ...[/CODE] /var/log/security [CODE]... Mar 9 14:40:23 free kernel: ipfw: 4700 Divert 6893 TCP 212.112.117.70:1212 212.42.xxx.xxx:80 in via tun0 Mar 9 14:40:23 free kernel: ipfw: 5000 Accept TCP 212.112.117.70:1212 192.168.0.1:80 in via tun0 Mar 9 14:40:23 free kernel: ipfw: 5000 Accept TCP 212.112.117.70:1212 192.168.0.1:80 out via vr1 Mar 9 14:40:23 free kernel: ipfw: 5000 Accept TCP 192.168.0.1:80 212.112.117.70:1212 in via vr1 #^this is O'k - packet is ready to be caught by rule 3800 but that rule is ignored and pachet processed by dymamic rule :confused: Mar 9 14:40:23 free kernel: ipfw: 5000 Accept TCP 192.168.0.1:80 212.112.117.70:1212 out via tun0 ...[/CODE] natd is started by [CODE]natd -log_denied -s -m -p 6893 -dynamic -n tun0 -redirect_port tcp 192.168.0.1:80 80 -log_ipfw_denied -l[/CODE] -- Best regards, Vladimir