Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 20 Sep 2004 18:05:55 -0000
From:      Thomas Wolf <tw@wsf.at>
To:        Cristian Ursuleanu <cristi@debug.ro>, Thomas Wolf <tw@wsf.at>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: ipfw & natd
Message-ID:  <20040920200555.eei75hvd9c00wg@.mailhost.wsf.at>
next in thread | raw e-mail | index | archive | help 

Cristian Ursuleanu <cristi@debug.ro> schrieb:

> 
> from ipfw manual:
> 
> "divert port
> 		     Divert packets that match this rule to the divert(4)
> 		     socket bound to port port.	 The search terminates.
> 						     -----------------
> "
 
Ah, ok, my statement was misleading. You're right, 'divert' does
not re-inject packets by itself - but 'natd' does.

Thomas

 
> On Mon, 20 Sep 2004, Thomas Wolf wrote:
> 
> >
> > Cristian Ursuleanu <cristi@debug.ro> schrieb:
> >
> > >
> > >
> > > Hi,
> > >
> > > I have a problem with ipfw:
> > >
> > >
> > > (10.0.0.x)     (ed0)(10.0.0.1)(rl0)     (1.2.3.4)
> > > --LAN----------------FreeBSD--------------ISP_1
> > >                         |
> > >                         |(rl1)
> > >                         |
> > >                         |               (5.6.7.8)
> > >                         |_________________ISP_2
> > >
> > >
> > >
> > > thw default route is 1.2.3.4
> > > ( $ route add -net 0.0.0.0 1.2.3.4 )
> > >
> > > I want to forward only port 80 from LAN to ISP_2 .
> > >
> > > I do:
> > > $ natd -p 8668 -interface rl0
> > > $ natd -p 8669 -interface rl1
> > >
> > > $ ipfw add 500 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80
> > > $ ipfw add 1000 divert 8668 all from any to any rl0
> > > $ ipfw add 2000 divert 8669 all from any to any rl1
> > >
> > > and it's seems not to work .
> > > 'tcpdump' on rl1 show connections from 10.0.0.2.3122 > WEB_SERVER.80 , and
> > > it must be: 5.6.7.8 > WEB_SERVER.80
> > >
> > > is missing the natd .
> > >
> > > what is wrong?
> >
> > The 'fwd' action terminates the search through the ruleset, so
> > your rule 2000 will never match on outgoing packets to :80.
> > Try putting the 'fwd' statement after 2000 ('divert' re-injects
> > packets at the next rule), something like this:
> > add 2010 fwd 5.6.7.8 tcp from any to any 80 out recv ed0.
> >
> > Thomas
> >
> > --
> > Thomas Wolf
> > Wiener Software Fabrik
> > Dubas u. Wolf GMBH
> > 1050 Wien, Mittersteig 4
> >
> > _______________________________________________
> > freebsd-ipfw@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
> >
>

--
Thomas Wolf
Wiener Software Fabrik
Dubas u. Wolf GMBH
1050 Wien, Mittersteig 4

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040920200555.eei75hvd9c00wg>