From owner-freebsd-jail@freebsd.org  Mon Jul 17 17:34:01 2017
Return-Path: <owner-freebsd-jail@freebsd.org>
Delivered-To: freebsd-jail@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4EF07D9B560;
 Mon, 17 Jul 2017 17:34:01 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id DB3E968EC0;
 Mon, 17 Jul 2017 17:34:00 +0000 (UTC)
 (envelope-from eugen@grosbein.net)
Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221])
 by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id v6HHXu58080463
 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
 Mon, 17 Jul 2017 19:33:57 +0200 (CEST)
 (envelope-from eugen@grosbein.net)
X-Envelope-From: eugen@grosbein.net
X-Envelope-To: lists@opsec.eu
Received: from [10.58.0.4] ([10.58.0.4])
 by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id v6HHXqFM060610
 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT);
 Tue, 18 Jul 2017 00:33:52 +0700 (+07)
 (envelope-from eugen@grosbein.net)
Subject: Re: A web server behind two gateways?
To: Kurt Jaeger <lists@opsec.eu>, Grzegorz Junka <list1@gjunka.com>
References: <a35370da-531d-6678-4a60-95304bdd919b@gjunka.com>
 <20170717172642.GF39925@home.opsec.eu>
Cc: freebsd-net@freebsd.org, freebsd-jail@freebsd.org
From: Eugene Grosbein <eugen@grosbein.net>
Message-ID: <596CF4FB.9070306@grosbein.net>
Date: Tue, 18 Jul 2017 00:33:47 +0700
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <20170717172642.GF39925@home.opsec.eu>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=0.3 required=5.0 tests=BAYES_00,LOCAL_FROM
 autolearn=no autolearn_force=no version=3.4.1
X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1%
 *      [score: 0.0000] *  2.6 LOCAL_FROM From my domains
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net
X-BeenThere: freebsd-jail@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Discussion about FreeBSD jail\(8\)" <freebsd-jail.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-jail/>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Help: <mailto:freebsd-jail-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-jail>,
 <mailto:freebsd-jail-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2017 17:34:01 -0000

18.07.2017 0:26, Kurt Jaeger wrote:

> I have a vague idea:
> 
> If you set a tag (or a keep-state :flowname) using a ipfw rule that matches
> the incoming gateway MAC and match that tag/check-state flowname and
> the connection (keep-state) to fwd the answer packet back to that gateway ?

In fact, the NAT engine already keeps state track of packet flows
and uses that to correctly translate answers back to public IP address.

All you need is to forward translated outgoing answers to correct channel
based on translated external source IP address (read: do policy based forwarding).