From owner-freebsd-questions  Thu Aug 20 10:27:55 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA16057
          for freebsd-questions-outgoing; Thu, 20 Aug 1998 10:27:55 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA16051
          for <questions@FreeBSD.ORG>; Thu, 20 Aug 1998 10:27:52 -0700 (PDT)
          (envelope-from julian@whistle.com)
Received: (from daemon@localhost)
	by alpo.whistle.com (8.8.5/8.8.5) id KAA07238;
	Thu, 20 Aug 1998 10:25:38 -0700 (PDT)
Received: from current1.whistle.com(207.76.205.22)
 via SMTP by alpo.whistle.com, id smtpd007233; Thu Aug 20 17:25:31 1998
Date: Thu, 20 Aug 1998 10:25:28 -0700 (PDT)
From: Julian Elischer <julian@whistle.com>
To: Matthew Spiers <matt@pavilion.net>
cc: questions@FreeBSD.ORG
Subject: Re: ipfw with adress translation and ipltd
In-Reply-To: <19980820150250.A23813@pavilion.net>
Message-ID: <Pine.BSF.3.95.980820102002.12047A-100000@current1.whistle.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

If you are running 2.2.x then only one divert rule will work as you
expect..

you need to compile the kernel with IPFW_DIVERT_RESTART

this changes the semantics so that
multiple diverts are possible.

that change in semantics is that after diversion and reinjection,
the packet restarts the firewall AFTER the rule# that caused the
diversion..
the old semantics were that the reinjected packet restarted teh firewall
at the beginning and skips the rule that caused the diversion.
The problem with the old semantic is that you could only remember one
diversion, so if you had 2 diverts you would loop forever between them.

in -current the new semantic is the default.



On Thu, 20 Aug 1998, Matthew Spiers wrote:

> At present we are now running ipfw on a BSD box to do routing, with a divert
> rule to ipltd which enables us to bandwidth restrict the subnets.
> We are considering using adress translation as we'd like to conserve IP
> space.  Our understanding is that we will need another divert rule
> to natd. The man ipfw states ' If a packet matches more than one divert
> and/or tee rule, all but the last are ignored.'
> 
> Now we are concerned that this might mean only one divert is possible -
> or does it mean diverts to a specific port are only allowed once (loop
> avoidance)?
> Or if we natd first, will the 'altered' IP allow us to have another divert
> rule as it's a 'different' IP passing through the ipfw rules?
> 
> Anyone have any thoughts/information on this subject?
> 
> Regards,
> 
> Matt
> Pavilion Internet plc.
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message