From owner-freebsd-ipfw@FreeBSD.ORG Tue Mar 14 03:06:46 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6CE516A41F for ; Tue, 14 Mar 2006 03:06:46 +0000 (UTC) (envelope-from xvga@mail.ru) Received: from mx1.mail.ru (mx1.mail.ru [194.67.23.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id F0A2B43D4C for ; Tue, 14 Mar 2006 03:06:45 +0000 (GMT) (envelope-from xvga@mail.ru) Received: from [212.42.113.202] (port=2503 helo=vga.osce-academy.local) by mx1.mail.ru with asmtp id 1FIzrv-000DY8-00; Tue, 14 Mar 2006 06:06:44 +0300 Date: Tue, 14 Mar 2006 09:06:37 +0600 From: Vladimir Grigor X-Priority: 3 (Normal) Message-ID: <1053991119.20060314090637@mail.ru> To: Dennis Olvany In-Reply-To: <4415CD14.9070000@gmail.com> References: <1438179712.20060310114356@mail.ru> <1014435727.20060313174344@mail.ru> <4415CD14.9070000@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-ipfw@freebsd.org Subject: Re[2]: ipfw2(stateful)+divert; why divert rule is ignored? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Vladimir Grigor List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Mar 2006 03:06:46 -0000 Thanks to all, now the problem is solved. Tuesday, March 14, 2006, 1:50:44 AM, Dennis wrote: >> Regular NAT is working properly, but I can't configure NAPT to >> services on server in LAN.... DO> You mean port forwarding? Yep >> 03800 0 0 divert 6893 log logamount 100 tcp from >> 192.168.0.1 80 to any out via tun0 DO> Possibly traffic has already been translated at this point? Trick is that I used 'count' rule to identify corresponding traffic. I've replaced that 'divert' rule with 'count' rule - nothing no traffic on that rule. Then just to try I've put 'count' rule 10 rules before not-working divert rule, and surprisingly 'count' rule found traffic! I need to say those 10 rules are indifferent to corresponding traffic. So I just moved divert rules to earlier place in ruleset and it works. This weird behavior of ipfw seems to me like ... weird at least :) >> 04700 25 1554 divert 6893 log logamount 100 tcp from any to >> 212.42.xxx.xxx dst-port 80 in via tun0 DO> Why multiple diverts? Because I have several services in LAN to offer www users >> 05000 150 6816 allow log logamount 100 tcp from any to 192.168.0.1 >> dst-port 80 in via tun0 setup keep-state DO> I believe you'll find setup keep-state incompatible with natd. surprisingly - it works! -- Best regards, Vladimir mailto:xvga@mail.ru