Date: Wed, 25 Feb 2004 09:00:45 -0600 From: Nathan Kinkade <nkinkade@ub.edu.bz> To: Edison Cala <edison@sflu.com> Cc: freebsd-questions@freebsd.org Subject: Re: port forwarding and ip-less firewall Message-ID: <20040225150045.GE11671@nkinkade.bmp.ub> In-Reply-To: <200402251719.AA14090702@sflu.com> References: <200402251719.AA14090702@sflu.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--fQa200R4EO7jAQ6Z Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 25, 2004 at 05:19:35PM +0800, Edison Cala wrote: > hello list! >=20 > i want to ask some help on port forwarding in a bridge-firewall > network. >=20 > our network setup is: >=20 > 1. the router is outside the firewall, direct to the internet. > 2. the bridge-firewall computer (2 ethernet cards installed, eth0 - > outside (router), eth1 - protected network) is between the router and > the protected network. >=20 > all the servers are behind the firewall and only opened the allowed > ports. i have 2 mail servers (unit1.domain.com and unit2.domain.com) > running on the protected network, unit1.domain.com is just an smtp > relay for unit2.domain.com and its working fine. however, i want to > put a rule (port forward) in firewall to forward request destined to > unit2.domain.com (port 25), but that request should be first passed to > unit1.domain.com (for antispam processing) before unit2. unit1 should > then be the one to forward the request to unit2.domain.com. >=20 > why i want to do this is that, some mails are getting through and > received at unit2 without passing to unit1. in mx, unit1 is the 1st > prio and unit2 is 2nd prio only. >=20 > please help and give an idea on port forwarding rules between two > servers within the protected network. >=20 > thank you! >=20 > edison cala I think this would normally be handled using a 'fwd' rule (man ipfw), but the manpage specifically states: "A fwd rule will not match layer-2 packets (those received on ether_input, ether_output, or bridged)." So, I'm not sure how you could implement this when using ipfw on a bridged interface. Nathan --=20 gpg --keyserver pgp.mit.edu --recv-keys D8527E49 --fQa200R4EO7jAQ6Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQFAPLidO0ZIEthSfkkRAncOAKDdVPiGB2xDCGUEoMAtaaApCcY3GwCgxczH QLLL/CVeqKqELN8Vo6BRxa0= =0mgA -----END PGP SIGNATURE----- --fQa200R4EO7jAQ6Z--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040225150045.GE11671>