From owner-freebsd-ipfw@FreeBSD.ORG Thu Jul 16 10:11:54 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B39C0106566B for ; Thu, 16 Jul 2009 10:11:54 +0000 (UTC) (envelope-from kim.attree@playsafesa.com) Received: from exchange.playsafesa.com (exchange.playsafesa.com [196.212.35.153]) by mx1.freebsd.org (Postfix) with ESMTP id ACD818FC14 for ; Thu, 16 Jul 2009 10:11:53 +0000 (UTC) (envelope-from kim.attree@playsafesa.com) Received: from server-02.playsafesa.com ([10.0.15.253]) by server-02.playsafesa.com ([10.0.15.253]) with mapi; Thu, 16 Jul 2009 12:12:36 +0200 From: Kim Attree To: Kim Attree Date: Thu, 16 Jul 2009 12:12:34 +0200 Thread-Topic: Problem with source based policy routing Thread-Index: Acn+Wm0Pl0An4RoqSXiWdQpkSNu6oQAeNZHQAcpy6KA= Message-ID: <00265389C30B444288C246DF37651D0C37970A1028@server-02.playsafesa.com> References: <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> <00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com> <00265389C30B444288C246DF37651D0C37698F395A@server-02.playsafesa.com> In-Reply-To: <00265389C30B444288C246DF37651D0C37698F395A@server-02.playsafesa.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "freebsd-ipfw@freebsd.org" Subject: RE: Problem with source based policy routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 16 Jul 2009 10:11:55 -0000 > -----Original Message----- > From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd- > ipfw@freebsd.org] On Behalf Of Kim Attree > Sent: 07 July 2009 09:21 AM > To: Giuliano Gavazzi > Cc: freebsd-ipfw@freebsd.org > Subject: RE: Problem with source based policy routing >=20 > > -----Original Message----- > > From: Giuliano Gavazzi [mailto:dev+lists@humph.com] > > Sent: 06 July 2009 06:54 PM > > To: Kim Attree > > Cc: freebsd-ipfw@freebsd.org > > Subject: Re: Problem with source based policy routing > > > > > > On M 6 Jul, 2009, at 15:35 , Kim Attree wrote: > > > > > I have one Internal Exchange server (don't laugh), and NAT handles > > > the static mapping of IP/Port to that server. The original point > > > here is to have two mapped NAT port 25's to the same internal Mail > > > server, hence the addition of the NAT before and during the forward > > > logic (obviously wrong though). > > > > > > > > > ah, if you want to have an internal server to be reachable on both > > public addresses, via the corresponding two firewall interfaces, you > > must have a way to tell the firewall how to distinguish the return > > packets in order to use the correct natd instance. If the internal > > exchange server port is the same, there is no way telling that. At > > most you could use the peer port, but even that would not be > > failproof, and I would not know how to proceed (I think dynamic rules > > can only establish holes - allow action - in the firewall, not a fwd > > action). So you must use two different ports or alias addresses on > the > > exchange server, and divert to the appropriate outgoing natd instance > > on the basis of that. > > > > I have not enough time at the moment to write down a complete > > workflow, but I hope this, with the remarks in my previous post, > gives > > you enough hints. >=20 > It has, I realised that the return traffic needs differing source IP's > - I've added another IP and SMTP Connector to exchange and will test > the theory out today. SUCCESS !!!!! I setup the Microsoft server to have a second SMTP connector on 10.0.0.2:58= 8 NATD setup as follows: port 8669 alias_address 192.168.2.1 same_ports yes use_sockets yes log_ipfw_denied yes redirect_port tcp 10.0.0.2:588 192.168.2.1:25 Then, in IPFW: (Making sure packets hit the NAT first...:) add 00079 divert 8669 all from any to any via re1 =20 add 00080 skipto 00082 all from 10.0.0.2 to 10.0.0.0/20 add 00080 skipto 00082 all from not 10.0.0.2 to any add 00081 fwd 192.168.2.254 all from 10.0.0.2 to any And a quick test from an outside server 12000 miles away: [root@bubbles ~]# telnet 192.168.2.1 25 Trying 192.168.2.1... Connected to 192.168.2.1. Escape character is '^]'. 220 xxx.xxx.com Microsoft ESMTP MAIL Service ready at Thu, 16 Jul 2009 12:1= 0:51 +0200 quit 221 2.0.0 Service closing transmission channel Connection closed by foreign host. Thanks again Giuliano !!! Kim Attree >=20 >=20 > > > > Giuliano >=20 > Thanks, >=20 > Kim > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"