From owner-freebsd-net@FreeBSD.ORG Tue Nov 29 13:07:31 2005 Return-Path: X-Original-To: freebsd-net@freebsd.org Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD8B816A41F for ; Tue, 29 Nov 2005 13:07:31 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn.pobox.com (thorn.pobox.com [208.210.124.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 36DD743D5E for ; Tue, 29 Nov 2005 13:07:30 +0000 (GMT) (envelope-from b.candler@pobox.com) Received: from thorn (localhost [127.0.0.1]) by thorn.pobox.com (Postfix) with ESMTP id 59905DE; Tue, 29 Nov 2005 08:07:52 -0500 (EST) Received: from mappit.local.linnet.org (212-74-113-67.static.dsl.as9105.com [212.74.113.67]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by thorn.sasl.smtp.pobox.com (Postfix) with ESMTP id 0FE2058D; Tue, 29 Nov 2005 08:07:50 -0500 (EST) Received: from lists by mappit.local.linnet.org with local (Exim 4.54 (FreeBSD)) id 1Eh5Ch-000AYT-Om; Tue, 29 Nov 2005 13:07:27 +0000 Date: Tue, 29 Nov 2005 13:07:27 +0000 From: Brian Candler To: asko Message-ID: <20051129130727.GA40492@uk.tiscali.com> References: <438C3172.6010806@ultrasoft.ee> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <438C3172.6010806@ultrasoft.ee> User-Agent: Mutt/1.4.2.1i Cc: freebsd-net@freebsd.org Subject: Re: natd redirected ports from LAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 13:07:31 -0000 On Tue, Nov 29, 2005 at 12:46:10PM +0200, asko wrote: > I'm searching for a better, faster solution.. > Does it exist? Do your constraints allow you switch to 'pf' instead of 'ipfw'? I think you may be able to do it that way. I had a similar situation where I wanted traffic originating from the local host to be processed specially. The case in point was redirection rather than NAT, but the same principles probably apply. Using pf I forced the traffic back through the loopback interface so it was treated as 'incoming' traffic. e.g. see thread around http://lists.freebsd.org/pipermail/freebsd-pf/2005-September/001495.html Maybe in your case you just need two rdr rules: one bound to the internal interface, and one to the external one. I stopped using ipfw several years ago because of a number of issues with NAT, especially some horrible scenarios with multiple external interfaces, IPSEC tunnels, and needing to run multiple instances of natd :-{ Regards, Brian.