From owner-freebsd-security  Wed Apr  4 14:20:35 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id 2A66337B71F
	for <security@FreeBSD.ORG>; Wed,  4 Apr 2001 14:20:29 -0700 (PDT)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f34MNq508054;
	Wed, 4 Apr 2001 17:23:52 -0500 (CDT)
	(envelope-from nick@rogness.net)
Date: Wed, 4 Apr 2001 17:23:51 -0500 (CDT)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: "Crist J. Clark" <cjclark@alum.mit.edu>
Cc: Matthew Reimer <mreimer@vpop.net>, owensmk@earthlink.net,
	security@FreeBSD.ORG
Subject: Re: Multiple Default Gateways using DIVERT
In-Reply-To: <3ACAE8CE.F9223E28@alum.mit.edu>
Message-ID: <Pine.BSF.4.21.0104041705280.7282-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 4 Apr 2001, Crist J. Clark wrote:

> Matthew Reimer wrote:
> > 
> > This might be a start, though I'm not sure how NAT should fit in. You'll
> > need the IPFIREWALL and IPFIREWALL_FORWARD kernel options.
> > 
> >   ipfw add 1000 fwd 2.2.2.1 ip from 10.10.10.0/25 to any
> >   ipfw add 2000 fwd 2.2.2.2 ip from 10.10.10.128/25 to any
> 
> Neither of the two responses I saw looked like they would do what the
> original
> poster wanted. It is a start, but this one will not work as shown with
> natd. The search will terminate with the above rules, before being
> divert(4)ed.

add 200 fwd 2.2.2.2 ip from 10.10.10.128/25 to any out recv ed0 xmit de0
add 300 divert natd ip from any to any de0

	IIRC, the above rule 200 will match the inbound packet from ed0,
	change the next hop address, then be re-run through the firewall
	on the way out the interface de0 (rule 300 above) to the
	destination.

	I've tested this with a log rule at 250 and it seems to match the
	outbound packet, so I'm assuming this will work.

	Since he specified in a later email that 2.2.2.2 and 2.2.2.1 are
	on the same outbound interface, you could get away with running 1
	natd, as both subnet's traffic would return via the same
	interface...regarless of where it came from.  However, the catch
	is on outbound traffic.  The second DSL provider must allow the
	alias address of 1st DSL's provider through their gateways (not
	likely).  

	Therefore, what Crist suggested would work pretty damn well.  
	There are several variations of that ruleset provided that could
	work.


Nick Rogness <nick@rogness.net>
 - Keep on Routing in a Free World...
 "FreeBSD: The Power to Serve!"



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message