From owner-freebsd-ipfw@FreeBSD.ORG Mon Apr 23 23:04:17 2007 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 4EC3F16A401 for ; Mon, 23 Apr 2007 23:04:17 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outI.internet-mail-service.net (outI.internet-mail-service.net [216.240.47.232]) by mx1.freebsd.org (Postfix) with ESMTP id 3D26B13C458 for ; Mon, 23 Apr 2007 23:04:17 +0000 (UTC) (envelope-from julian@elischer.org) Received: from mx0.idiom.com (HELO idiom.com) (216.240.32.160) by out.internet-mail-service.net (qpsmtpd/0.32) with ESMTP; Mon, 23 Apr 2007 15:31:50 -0700 Received: from julian-mac.elischer.org (nat.ironport.com [63.251.108.100]) by idiom.com (Postfix) with ESMTP id 9D5F7125AE1; Mon, 23 Apr 2007 16:04:16 -0700 (PDT) Message-ID: <462D3B7E.6020006@elischer.org> Date: Mon, 23 Apr 2007 16:04:30 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: Lubomir Georgiev <0shady0recs0@gmail.com> References: <937e203f0704231424q28306d67n8c476e113f95441e@mail.gmail.com> In-Reply-To: <937e203f0704231424q28306d67n8c476e113f95441e@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw with nat - allowing by MAC address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Apr 2007 23:04:17 -0000 ok so I just emailed how I would do this.. Did you not receive it? Lubomir Georgiev wrote: > OK people - here's the deal. I have tried the setup as described by > *Patrick > Tracanelli at *click > > but the shitty thing still doesn't want to just let it be! Since I don't > want to > > 00500 468 30071 deny log logamount 100 ip from any to any MAC any > any layer2 via xl0 > > > I'm trying to integrate a rule that just skips the natd but still allows > normal client -> freebsd box communication. The problem is - I can > manipulate layer2 any way I like e.g. use skipto with MAC as described and > everything but as soon as I add a rule like this > > ipfw add 500 skipto 1400 /after the divert natd/ all from any to any not > layer2 > > I lose worldwide connectivity. And if I don't add this rule my whole > 192.168.1.0/24 segment in enabled because of the > > 01203 divert 8668 ip from 192.168.1.0/24 to any out via fxp0 > 01205 divert 8668 ip from any to me in via fxp0 > > Can someone please explain this? And just give the word and I'll send a > more substantial part of the ruleset and the different strategies /of > rulesets :)/ that I've tried. > The bottom line - Patrick's setup doesn't work, at least here. I'm certain > that I've written the rules they're supposed to be /just change ip ranges, > if names etc./ > > 10x in advance and please do bare with me... >