From owner-freebsd-security  Wed Apr  4 15:30:48 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cody.jharris.com (cody.jharris.com [205.238.128.83])
	by hub.freebsd.org (Postfix) with ESMTP id C15C537B72F
	for <security@FreeBSD.ORG>; Wed,  4 Apr 2001 15:30:44 -0700 (PDT)
	(envelope-from nick@rogness.net)
Received: from localhost (nick@localhost)
	by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f34NXnY08334;
	Wed, 4 Apr 2001 18:33:50 -0500 (CDT)
	(envelope-from nick@rogness.net)
Date: Wed, 4 Apr 2001 18:33:49 -0500 (CDT)
From: Nick Rogness <nick@rogness.net>
X-Sender: nick@cody.jharris.com
To: Crist Clark <crist.clark@globalstar.com>
Cc: "Crist J. Clark" <cjclark@alum.mit.edu>,
	Matthew Reimer <mreimer@vpop.net>, owensmk@earthlink.net,
	security@FreeBSD.ORG
Subject: Re: Multiple Default Gateways using DIVERT
In-Reply-To: <3ACB947D.16A66B4C@alum.mit.edu>
Message-ID: <Pine.BSF.4.21.0104041829480.7282-100000@cody.jharris.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 4 Apr 2001, Crist Clark wrote:


> > add 200 fwd 2.2.2.2 ip from 10.10.10.128/25 to any out recv ed0 xmit de0
> > add 300 divert natd ip from any to any de0
> > 
> >         IIRC, the above rule 200 will match the inbound packet from ed0,
> >         change the next hop address, then be re-run through the firewall
> >         on the way out the interface de0 (rule 300 above) to the
> >         destination.
> > 
> >         I've tested this with a log rule at 250 and it seems to match the
> >         outbound packet, so I'm assuming this will work.
> 
> I don't think it will. That rule 200 should not work as you say. From 
> ipfw(8),

	That's odd.  WHen I add to the above ruleset:

	add 250 log ip from any to any out via de0

	I see the packet going outbound...

> 
>                fwd ipaddr[,port]
>                      ...  If the IP is not a local ad-
>                      dress then the port number (if specified) is
> 			ignored and
>                      the rule only applies to packets leaving the system.
>                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> I am unsure how it would break tho'. That is, whether the packets fall 
> in the bitbucket when processed on ed0 or if they get shortcircuited to 
> the wire before getting to 300 when the packet crosses de0.

	I'm not sure on this one, I'll send some actual logs in a while
	when I get home.


Nick Rogness <nick@rogness.net>
 - Keep on Routing in a Free World...
 "FreeBSD: The Power to Serve!"


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message