From owner-freebsd-ipfw Sat Mar 2 11: 6:42 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by hub.freebsd.org (Postfix) with ESMTP id CF10D37B417 for ; Sat, 2 Mar 2002 11:06:37 -0800 (PST) Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc51.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020302190637.KJGQ2626.rwcrmhc51.attbi.com@blossom.cjclark.org>; Sat, 2 Mar 2002 19:06:37 +0000 Received: (from cjc@localhost) by blossom.cjclark.org (8.11.6/8.11.6) id g22J6bg82263; Sat, 2 Mar 2002 11:06:37 -0800 (PST) (envelope-from cjc) Date: Sat, 2 Mar 2002 11:06:37 -0800 From: "Crist J. Clark" To: Luiz Morte da Costa Jr Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw problem Message-ID: <20020302110637.F66092@blossom.cjclark.org> References: <30575.200.208.15.217.1014995951.squirrel@tucunare.fee.unicamp.br> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <30575.200.208.15.217.1014995951.squirrel@tucunare.fee.unicamp.br>; from morte@dsee.fee.unicamp.br on Fri, Mar 01, 2002 at 12:19:11PM -0300 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Mar 01, 2002 at 12:19:11PM -0300, Luiz Morte da Costa Jr wrote: > > Hi all, > > I don´t know if this is possible, but ... : Anything is possible. > I´ve instaled a FreeBSD 4.4 in a hardware with 3 nic. I´ve configured: > > nic fxp0: a.b.c.d -> Internet link, with a valid IP > nic fxp1: e.f.g.h -> Internet link, with a valid IP > nic fxp2: 10.10.10.1 -> Internal link, with a NO valid IP > > My default router is a.b.c.29 (the same fxp0 IP Class) > > I´m using ipfx+nat and the ideia is: > http protocol: out/in via fxp1 > others protocols: out/in via fxp0 OK. Whatever you want. > - I starting nat, like this: > natd (8668) in a fxp0 nic and > natd2 (8669) in a fxp1 nic These are just run like 'natd -n fxp[01]' with no additional options? > - I´ve used the rules bellow: > add 001 divert 8669 tcp from any to any 80 > add 002 divert 8669 tcp from any 80 to any > add 003 fwd e.f.g.h tcp from any to any 80 via fxp1 (fxp1 IP Class) > add 004 fwd e.f.g.h tcp from any 80 to any via fxp1 (fxp1 IP Class) > add 005 skipto 020 tcp from any to any 80 > add 006 skipto 020 tcp from any 80 to any > add 010 divert 8668 all from any to any > add 020 allow log all from any to any > > > - logs: > Feb 17 11:45:15 fw /kernel: ipfw: 020 Accept 10.10.10.130:1133 > 209.73.180.8:80 in via fxp2 > (fazendo acesso ao altavista de uma maquina da rede interna: 10.10.10.130) > > Feb 17 11:45:15 fw /kernel: ipfw: 020 Accept e.f.g.h:1133 209.73.180.8:80 > out via fxp0 > > > > I think the NAT is working fine (logs), but all the internet traffic is > passing through fxp0. I have a routing problem and I don´t if I can fix > it. In another words, only the http protocol pass through fxp1 and others > protocols pass through fxp0. Your 3 and 4 rules do not mean what you seem to think they mean. Rule 3 is saying, forward to e.f.g.h any packet that is crossing interface fxp1 destined to port 80. That is, the 'via fxp1' means the packet must be already crossing that interface to match the rule. Plus, you really don't want to be 'fwd'ing the packets to the local machine. That means the local machine processes them as if they were destined for itself. What you want to do is, add 003 fwd e.f.g.i tcp from e.f.g.h to any 80 out Where e.f.g.i is the gateway off of e.f.g.h. At least, if that whole mess works at all, this rule will kick those packets out of the other link. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message