From owner-freebsd-net@FreeBSD.ORG  Wed Feb 18 15:36:03 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B98F2106566B
	for <freebsd-net@freebsd.org>; Wed, 18 Feb 2009 15:36:03 +0000 (UTC)
	(envelope-from prt@prt.org)
Received: from smtp6.uk.umis.net (smtp6.uk.umis.net [217.65.166.41])
	by mx1.freebsd.org (Postfix) with ESMTP id 8405F8FC0A
	for <freebsd-net@freebsd.org>; Wed, 18 Feb 2009 15:36:03 +0000 (UTC)
	(envelope-from prt@prt.org)
Received: from kate.prtsystems.ltd.uk ([217.65.165.35])
	by smtp6.uk.umis.net with esmtpa (Exim 4.63 (FreeBSD))
	(envelope-from <prt@prt.org>) id 1LZoSv-000K1I-Oo
	for freebsd-net@freebsd.org; Wed, 18 Feb 2009 15:36:01 +0000
Message-ID: <499C2ADF.3070700@prt.org>
Date: Wed, 18 Feb 2009 15:35:59 +0000
From: Paul Thornton <prt@prt.org>
User-Agent: Thunderbird 2.0.0.19 (Windows/20081209)
MIME-Version: 1.0
To: freebsd-net@freebsd.org
References: <49995AB5.50200@prt.org>
In-Reply-To: <49995AB5.50200@prt.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: ipfw problems using divert and fwd at the same time with
	6.3-release
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2009 15:36:04 -0000

I have found the error of my ways...

For the purposes of the archives, I'm posting what actually made this 
work. It is a very simple fix and I don't quite know how I missed trying 
this out during my frustrations.

Before the "ipfw fwd..." line you need one or more "ipfw skipto..." 
lines to ensure that you don't accidentally match the more specific 
addresses on the fwd.

What's interesting is that I'd had "ipfw allow..." lines before the 
"ipfe fwd..." line doing a similar thing to skipto, and it didn't work.

So I amended the ruleset to the following (other rules stay the same):

> 06000   515  153945 divert 8668 ip from any to me via em0
> 07000    48    5472 skipto 32000 ip from 10.81.0.0/16 to 217.65.161.4 dst-port 80
> 07100     0       0 skipto 32000 ip from 10.81.129.0/24 to any
> 08000    94   10434 fwd 127.0.0.1,8000 tcp from 10.81.0.0/16 to any dst-port 80
> 32000   499  230890 allow ip from any to any

Paul.