From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 15 06:06:53 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B6F016A4BF for ; Mon, 15 Sep 2003 06:06:53 -0700 (PDT) Received: from transport.cksoft.de (transport.cksoft.de [62.111.66.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0539B43FB1 for ; Mon, 15 Sep 2003 06:06:51 -0700 (PDT) (envelope-from ck@cksoft.de) Received: from localhost (localhost [127.0.0.1]) by transport.cksoft.de (Postfix) with ESMTP id DD69D1FF900; Mon, 15 Sep 2003 15:06:48 +0200 (CEST) Received: from vesihiisi.cksoft.de (unknown [192.168.64.10]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by transport.cksoft.de (Postfix) with ESMTP id 5C8C81FF8FF; Mon, 15 Sep 2003 15:06:45 +0200 (CEST) Received: from vesihiisi.cksoft.de (localhost [127.0.0.1]) by vesihiisi.cksoft.de (Postfix) with ESMTP id CF9572278; Mon, 15 Sep 2003 15:06:43 +0200 (CEST) Received: by vesihiisi.cksoft.de (Postfix, from userid 1000) id 2D9CE2262; Mon, 15 Sep 2003 15:06:42 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by vesihiisi.cksoft.de (Postfix) with ESMTP id 2BFE1225C; Mon, 15 Sep 2003 15:06:42 +0200 (CEST) Date: Mon, 15 Sep 2003 15:06:42 +0200 (CEST) From: Christian Kratzer To: Martin Bartelds In-Reply-To: <200309151438.1937858.6@btsoftware.com> Message-ID: <20030915150519.O3146@vesihiisi.cksoft.de> References: <200309151438.1937858.6@btsoftware.com> X-Spammer-Kill-Ratio: 75% MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS snapshot-20020300-cksoft-02bz on vesihiisi.cksoft.de X-Virus-Scanned: by AMaViS snapshot-20020300 cc: "ipfw@freebsd.org" Subject: Re: IPFW/routing wishes X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 13:06:53 -0000 Hi, On Mon, 15 Sep 2003, Martin Bartelds wrote: > What I do seriously mis in FreeBSD, is the possibilty to have NATD active > on more then 1 network address/card and do packet routing based > on packet information. > > For example: All external network interfaces X and Y serving their own requests, > routing all trafic from the firewall's system to interface X and all > other trafic (ie from the internal network) to interface Y. > > The Activition mechanism (the rules) of IPFW and NATD seem to > be integrated with the actual firewall. Understandable, because once > matching has been done, the FW rule can be applied easily. Activation > of NATD handling is done with the divert as a result of the matching mechanism. > > Running 2 NATD's is possible, but ends up with the wrong "source" > address in the packets supposed to go to one of the cards. > IE one NATD works fine, the other creates packets with the wrong source > address going to the wrong outgoing network card (and as such have > conflicts with the firewall rules, apart from going to the wrong card and > as such abusing the ISP). [snipp] I have successfully run multiple natds on different outside interfaces and had absolutely no problems in doing so. Of course you need to two different divert ports but the configuration was pretty trivial. Can you show a specific config you had problems with ? Greetings Christian -- CK Software GmbH Christian Kratzer, Schwarzwaldstr. 31, 71131 Jettingen Email: ck@cksoft.de Phone: +49 7452 889-135 Open Software Solutions, Network Security Fax: +49 7452 889-136 FreeBSD spoken here!