From owner-freebsd-ipfw@FreeBSD.ORG Wed Sep 22 13:59:20 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33D7816A4D0 for ; Wed, 22 Sep 2004 13:59:20 +0000 (GMT) Received: from smtp-md2.infolink.com.br (smtp-md2.infolink.com.br [200.187.64.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6FADF43D31 for ; Wed, 22 Sep 2004 13:59:19 +0000 (GMT) (envelope-from R2@infolinks.com.br) Received: from md2.infolink.com.br (md2.infolink.com.br [200.187.64.90]) by smtp-md2.infolink.com.br (Postfix) with ESMTP id 30C63158EC0 for ; Wed, 22 Sep 2004 10:59:17 -0300 (BRT) Received: from infolinks.com.br ([200.187.64.91]) by md2.infolink.com.br ; Wed, 22 Sep 2004 10:59:16 -0300 BRT Message-ID: <41518533.8050607@infolinks.com.br> Date: Wed, 22 Sep 2004 10:59:15 -0300 From: R2 User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040701 X-Accept-Language: pt-br, pt, en-us, en MIME-Version: 1.0 Cc: freebsd-ipfw@freebsd.org References: <20040920084359.eei75hutjsgs88@.mailhost.wsf.at> <1095699476.14974.13.camel@jose.hostarica.net> <20040920230225.Y58694@debug.ro> In-Reply-To: <20040920230225.Y58694@debug.ro> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Rcpt-To: Subject: Re: ipfw & natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Sep 2004 13:59:20 -0000 Cristian Ursuleanu wrote: >you are wight! > >but, I do some tests and it seems to work only when: >net.inet.ip.fw.one_pass=0 > >if net.inet.ip.fw.one_pass=0 then packets are reinjected into firewall , >and when net.inet.ip.fw.one_pass=1 are not. > >I use: FreeBSD 4.10 STABLE , and ipfw1. > >"net.inet.ip.fw.one_pass: 1 > Forces a single pass through the firewall. If set to 0, > packets coming out of a pipe will be reinjected into the > firewall starting with the rule after the matching one. >" > > >On Mon, 20 Sep 2004, Jose Hidalgo Herrera wrote: > > > >>You are right, but Tomas too!, >> >>what is missing here is: >># sysctl -w net.inet.ip.fw.one_pass=1 >> >>Use the divert first, with one_pass=1 the package will >>be reinjected and the your fwd rule will work just fine. >> >>--- this will do >> sysctl -w net.inet.ip.fw.one_pass=1 >> >> natd -p 8668 -interface rl0 >> natd -p 8669 -interface rl1 >> >> ipfw add 1000 divert 8668 all from any to any rl0 >> ipfw add 2000 divert 8669 all from any to any rl1 >> ipfw add 2010 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 out recv ed0 >>--- >>-- >>Jose Hidalgo >>PGP: 15524480 >>jose at hostarica.com >>http://www.hostarica.com >> >> >> >> >> >_______________________________________________ >freebsd-ipfw@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > You can use this ipfw configuration to solve you problem : ipfw add 100 skipto 2000 all from any to any 80 out xmit rl0 ipfw add 1000 divert natd all from any to any via rl0 ipfw add 2000 divert natd2 all from any to any via rl1 ipfw fwd 5.6.7.9 all from 5.6.7.8 to any out xmit rl0 PS: Default route are sent to rl0 interface and is a necessary to forward all packets with sorce ip 5.6.7.8 to next-hop 5.6.7.9, this last ip is a remote interface of your sevice provider.