From owner-freebsd-questions@FreeBSD.ORG Fri Mar 10 05:44:03 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E763716A420 for ; Fri, 10 Mar 2006 05:44:03 +0000 (GMT) (envelope-from xvga@mail.ru) Received: from mx5.mail.ru (mx5.mail.ru [194.67.23.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74C0C43D45 for ; Fri, 10 Mar 2006 05:44:03 +0000 (GMT) (envelope-from xvga@mail.ru) Received: from [212.42.113.202] (port=48050 helo=vga.osce-academy.local) by mx5.mail.ru with asmtp id 1FHaPx-000A8K-00 for freebsd-questions@freebsd.org; Fri, 10 Mar 2006 08:44:01 +0300 Date: Fri, 10 Mar 2006 11:43:56 +0600 From: Vladimir X-Priority: 3 (Normal) Message-ID: <1438179712.20060310114356@mail.ru> To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw2+divert; why divert rule is ignored? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Grigor List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Mar 2006 05:44:04 -0000 FreeBSD 5.4 Specifically, I can't figure out why rule 3800 is ignored... :confused: If you have idea - just give clue abt it.... Thanks... Regular NAT is working properly, but I can't configure NAPT to services on server in LAN.... Interface to LAN is also untrusted -that's why so many details in config... tun0 - interface to Internet vr1 - interface to LAN 212.42.xxx.xxx - my external IP firewall rules [#ipfw -de sh] [CODE] 03800 0 0 divert 6893 log logamount 100 tcp from 192.168.0.1 80 to any out via tun0 04000 0 0 check-state 04400 0 0 allow log logamount 100 tcp from 212.42.xxx.xxx 80 to any out via tun0 04700 25 1554 divert 6893 log logamount 100 tcp from any to 212.42.xxx.xxx dst-port 80 in via tun0 05000 150 6816 allow log logamount 100 tcp from any to 192.168.0.1 dst-port 80 in via tun0 setup keep-state ## Dynamic rules (14): 05000 17 768 (0s) STATE tcp 212.112.117.70 1212 <-> 192.168.0.1 80 ...[/CODE] /var/log/security [CODE]... Mar 9 14:40:23 free kernel: ipfw: 4700 Divert 6893 TCP 212.112.117.70:1212 212.42.xxx.xxx:80 in via tun0 Mar 9 14:40:23 free kernel: ipfw: 5000 Accept TCP 212.112.117.70:1212 192.168.0.1:80 in via tun0 Mar 9 14:40:23 free kernel: ipfw: 5000 Accept TCP 212.112.117.70:1212 192.168.0.1:80 out via vr1 Mar 9 14:40:23 free kernel: ipfw: 5000 Accept TCP 192.168.0.1:80 212.112.117.70:1212 in via vr1 #^this is O'k - packet is ready to be caught by rule 3800 but that rule is ignored and pachet processed by dymamic rule :confused: Mar 9 14:40:23 free kernel: ipfw: 5000 Accept TCP 192.168.0.1:80 212.112.117.70:1212 out via tun0 ...[/CODE] natd is started by [CODE]natd -log_denied -s -m -p 6893 -dynamic -n tun0 -redirect_port tcp 192.168.0.1:80 80 -log_ipfw_denied -l[/CODE] -- Best regards, Vladimir