From owner-freebsd-security  Wed Apr  4 14:39:12 2001
Delivered-To: freebsd-security@freebsd.org
Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142])
	by hub.freebsd.org (Postfix) with ESMTP id 0727037B71C
	for <security@FreeBSD.ORG>; Wed,  4 Apr 2001 14:39:08 -0700 (PDT)
	(envelope-from cjclark@alum.mit.edu)
Received: from alum.mit.edu ([207.88.153.184]) by
          nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with
          ESMTP id GBAESO00.P8M; Wed, 4 Apr 2001 14:38:48 -0700 
Message-ID: <3ACB947D.16A66B4C@alum.mit.edu>
Date: Wed, 04 Apr 2001 14:39:09 -0700
From: Crist Clark <crist.clark@globalstar.com>
Organization: Globalstar LP
X-Mailer: Mozilla 4.75 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Nick Rogness <nick@rogness.net>
Cc: "Crist J. Clark" <cjclark@alum.mit.edu>,
	Matthew Reimer <mreimer@vpop.net>, owensmk@earthlink.net,
	security@FreeBSD.ORG
Subject: Re: Multiple Default Gateways using DIVERT
References: <Pine.BSF.4.21.0104041705280.7282-100000@cody.jharris.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Nick Rogness wrote:
> 
> On Wed, 4 Apr 2001, Crist J. Clark wrote:
> 
> > Matthew Reimer wrote:
> > >
> > > This might be a start, though I'm not sure how NAT should fit in. You'll
> > > need the IPFIREWALL and IPFIREWALL_FORWARD kernel options.
> > >
> > >   ipfw add 1000 fwd 2.2.2.1 ip from 10.10.10.0/25 to any
> > >   ipfw add 2000 fwd 2.2.2.2 ip from 10.10.10.128/25 to any
> >
> > Neither of the two responses I saw looked like they would do what the
> > original
> > poster wanted. It is a start, but this one will not work as shown with
> > natd. The search will terminate with the above rules, before being
> > divert(4)ed.
> 
> add 200 fwd 2.2.2.2 ip from 10.10.10.128/25 to any out recv ed0 xmit de0
> add 300 divert natd ip from any to any de0
> 
>         IIRC, the above rule 200 will match the inbound packet from ed0,
>         change the next hop address, then be re-run through the firewall
>         on the way out the interface de0 (rule 300 above) to the
>         destination.
> 
>         I've tested this with a log rule at 250 and it seems to match the
>         outbound packet, so I'm assuming this will work.

I don't think it will. That rule 200 should not work as you say. From 
ipfw(8),

               fwd ipaddr[,port]
                     ...                         If the IP is not a local ad-
                     dress then the port number (if specified) is ignored and
                     the rule only applies to packets leaving the system.
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I am unsure how it would break tho'. That is, whether the packets fall 
in the bitbucket when processed on ed0 or if they get shortcircuited to 
the wire before getting to 300 when the packet crosses de0.
-- 
Crist J. Clark                                cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message