Date: Mon, 20 Sep 2004 17:59:06 -0000 From: Thomas Wolf <tw@wsf.at> To: jose@hostarica.com, Cristian Ursuleanu <cristi@debug.ro> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw & natd Message-ID: <20040920195906.eedkv0u7mcookk@.mailhost.wsf.at>
next in thread | raw e-mail | index | archive | help
Jose Hidalgo Herrera <jose@hostarica.com> schrieb: > You are right, but Tomas too!, > > what is missing here is: > # sysctl -w net.inet.ip.fw.one_pass=1 No, this sysctl is for dummynet only and does not affect natd. Natd always re-injects packets into the firewall: "After translation by natd, packets re-enter the firewall at the rule number following the rule number that caused the diversion" (man natd) > Use the divert first, with one_pass=1 the package will > be reinjected and the your fwd rule will work just fine. > > --- this will do > sysctl -w net.inet.ip.fw.one_pass=1 > > natd -p 8668 -interface rl0 > natd -p 8669 -interface rl1 > > ipfw add 1000 divert 8668 all from any to any rl0 > ipfw add 2000 divert 8669 all from any to any rl1 > ipfw add 2010 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 out recv ed0 > --- No, this will not work, you should omit the 'from 10.0.0.0/24' part. After being translated by natd, the packets coming from the LAN will no longer have 10.0.0.0/24 as src-addr. Thomas -- Thomas Wolf Wiener Software Fabrik Dubas u. Wolf GMBH 1050 Wien, Mittersteig 4
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040920195906.eedkv0u7mcookk>