From owner-freebsd-questions Wed Jun 26 17: 3:28 2002 Delivered-To: freebsd-questions@freebsd.org Received: from mail.flarion.com (mail.flarion.com [63.103.94.23]) by hub.freebsd.org (Postfix) with ESMTP id 1358E37B5AF; Wed, 26 Jun 2002 16:07:47 -0700 (PDT) Received: by rrmail01.lab.flarion.com with Internet Mail Service (5.5.2653.19) id ; Wed, 26 Jun 2002 17:21:04 -0400 Message-ID: <8C92E23A3E87FB479988285F9E22BE46FDE778@ftmail.lab.flarion.com> From: Matt Impett To: 'Lars Eggert' , Matt Impett Cc: "'freebsd-net@freebsd.org'" , "'freebsd-questions@freebsd.org'" Subject: RE: source address based routing Date: Wed, 26 Jun 2002 17:21:02 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG inline.. > -----Original Message----- > From: Lars Eggert [mailto:larse@ISI.EDU] > Sent: Wednesday, June 26, 2002 5:10 PM > To: Matt Impett > Cc: 'freebsd-net@freebsd.org'; 'freebsd-questions@freebsd.org' > Subject: Re: source address based routing > > > Matt Impett wrote: > > I have looked at the firewall rather exetensively, but I > don't know that it > > can do what I want. > > Maybe you should describe what you want in a little more > detail then :-) gladly.. I am trying to implement reverse tunneling for mobile-IP. The basic idea is that packets must be reverse tunneled to different IP addresses depending on the source address of the packet. The reason the tunnel does not have an IP address associated with it is that I don't want to forward traffic down the tunnel for any other reason besides source addresses. As soon as I assign the tunnel interface an address, traffic sent to that address will be tunneled. > > > From what I can tell, the firewall fwd functionality allows > you to redirect > > a packet to a different next hop based on any of the > firewall matching rules > > (one of which is source address). > > > > What I want to do, however, is redirect the packet to a > tunnel (gif device) > > that has no next-hop associated with it. Is there any way > to do this?? > > How does it not have a next hop associated with it? Are you > leaving the > addresses unconfigured? Maybe you can still use ipfw like this: > > route add DUMMY_NEXT_HOP -interface GIF > ipfw add fwd DUMMY_NEXT_HOP all from SOURCE to any I have thought about doing this, but am a little concerned about assigning DUMMY_NEXT_HOP. As soon as I issue "route add DUMMY_NEXT_HOP -interface GIF", that DUMMY_NEXT_HOP address is now unusable by anyone else. Therefore, I guess it would have to be private, but then this would stop anyone from actually using this private address in the local domain. Plus, I don't know how many DUMMY_NEXT_HOPs to allocate, as I would need one for each tunnel I have set up, and the number of tunnels I set up is dependent on the number of mobile's that come into the system (which is somewhat of an unknown). What do you think?? matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message