Date: Sat, 2 Mar 2002 11:06:37 -0800 From: "Crist J. Clark" <cjc@FreeBSD.ORG> To: Luiz Morte da Costa Jr <morte@dsee.fee.unicamp.br> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw problem Message-ID: <20020302110637.F66092@blossom.cjclark.org> In-Reply-To: <30575.200.208.15.217.1014995951.squirrel@tucunare.fee.unicamp.br>; from morte@dsee.fee.unicamp.br on Fri, Mar 01, 2002 at 12:19:11PM -0300 References: <30575.200.208.15.217.1014995951.squirrel@tucunare.fee.unicamp.br>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 01, 2002 at 12:19:11PM -0300, Luiz Morte da Costa Jr wrote:
>
> Hi all,
>
> I don´t know if this is possible, but ... :
Anything is possible.
> I´ve instaled a FreeBSD 4.4 in a hardware with 3 nic. I´ve configured:
>
> nic fxp0: a.b.c.d -> Internet link, with a valid IP
> nic fxp1: e.f.g.h -> Internet link, with a valid IP
> nic fxp2: 10.10.10.1 -> Internal link, with a NO valid IP
>
> My default router is a.b.c.29 (the same fxp0 IP Class)
>
> I´m using ipfx+nat and the ideia is:
> http protocol: out/in via fxp1
> others protocols: out/in via fxp0
OK. Whatever you want.
> - I starting nat, like this:
> natd (8668) in a fxp0 nic and
> natd2 (8669) in a fxp1 nic
These are just run like 'natd -n fxp[01]' with no additional options?
> - I´ve used the rules bellow:
> add 001 divert 8669 tcp from any to any 80
> add 002 divert 8669 tcp from any 80 to any
> add 003 fwd e.f.g.h tcp from any to any 80 via fxp1 (fxp1 IP Class)
> add 004 fwd e.f.g.h tcp from any 80 to any via fxp1 (fxp1 IP Class)
> add 005 skipto 020 tcp from any to any 80
> add 006 skipto 020 tcp from any 80 to any
> add 010 divert 8668 all from any to any
> add 020 allow log all from any to any
>
>
> - logs:
> Feb 17 11:45:15 fw /kernel: ipfw: 020 Accept 10.10.10.130:1133
> 209.73.180.8:80 in via fxp2
> (fazendo acesso ao altavista de uma maquina da rede interna: 10.10.10.130)
>
> Feb 17 11:45:15 fw /kernel: ipfw: 020 Accept e.f.g.h:1133 209.73.180.8:80
> out via fxp0
>
>
>
> I think the NAT is working fine (logs), but all the internet traffic is
> passing through fxp0. I have a routing problem and I don´t if I can fix
> it. In another words, only the http protocol pass through fxp1 and others
> protocols pass through fxp0.
Your 3 and 4 rules do not mean what you seem to think they mean. Rule
3 is saying, forward to e.f.g.h any packet that is crossing interface
fxp1 destined to port 80. That is, the 'via fxp1' means the packet
must be already crossing that interface to match the rule. Plus, you
really don't want to be 'fwd'ing the packets to the local
machine. That means the local machine processes them as if they were
destined for itself.
What you want to do is,
add 003 fwd e.f.g.i tcp from e.f.g.h to any 80 out
Where e.f.g.i is the gateway off of e.f.g.h. At least, if that whole
mess works at all, this rule will kick those packets out of the other
link.
--
Crist J. Clark | cjclark@alum.mit.edu
| cjclark@jhu.edu
http://people.freebsd.org/~cjc/ | cjc@freebsd.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020302110637.F66092>