Date: Mon, 20 Sep 2004 23:12:36 +0300 (EEST) From: Cristian Ursuleanu <cristi@debug.ro> To: Jose Hidalgo Herrera <jose@hostarica.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw & natd Message-ID: <20040920230225.Y58694@debug.ro> In-Reply-To: <1095699476.14974.13.camel@jose.hostarica.net> References: <20040920084359.eei75hutjsgs88@.mailhost.wsf.at> <1095699476.14974.13.camel@jose.hostarica.net>
next in thread | previous in thread | raw e-mail | index | archive | help
you are wight! but, I do some tests and it seems to work only when: net.inet.ip.fw.one_pass=0 if net.inet.ip.fw.one_pass=0 then packets are reinjected into firewall , and when net.inet.ip.fw.one_pass=1 are not. I use: FreeBSD 4.10 STABLE , and ipfw1. "net.inet.ip.fw.one_pass: 1 Forces a single pass through the firewall. If set to 0, packets coming out of a pipe will be reinjected into the firewall starting with the rule after the matching one. " On Mon, 20 Sep 2004, Jose Hidalgo Herrera wrote: > You are right, but Tomas too!, > > what is missing here is: > # sysctl -w net.inet.ip.fw.one_pass=1 > > Use the divert first, with one_pass=1 the package will > be reinjected and the your fwd rule will work just fine. > > --- this will do > sysctl -w net.inet.ip.fw.one_pass=1 > > natd -p 8668 -interface rl0 > natd -p 8669 -interface rl1 > > ipfw add 1000 divert 8668 all from any to any rl0 > ipfw add 2000 divert 8669 all from any to any rl1 > ipfw add 2010 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 out recv ed0 > --- > -- > Jose Hidalgo > PGP: 15524480 > jose at hostarica.com > http://www.hostarica.com > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040920230225.Y58694>