From owner-freebsd-net@FreeBSD.ORG  Mon Oct  8 22:48:51 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 90C4C16A418;
	Mon,  8 Oct 2007 22:48:51 +0000 (UTC) (envelope-from randy@psg.com)
Received: from rip.psg.com (rip.psg.com [147.28.0.39])
	by mx1.freebsd.org (Postfix) with ESMTP id 6DF8613C461;
	Mon,  8 Oct 2007 22:48:51 +0000 (UTC) (envelope-from randy@psg.com)
Received: from [202.214.86.181]
	by rip.psg.com with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.67 (FreeBSD)) (envelope-from <randy@psg.com>)
	id 1If1P7-00076F-Kn; Mon, 08 Oct 2007 22:48:49 +0000
Message-ID: <470AB3C3.1030508@psg.com>
Date: Tue, 09 Oct 2007 07:48:35 +0900
From: Randy Bush <randy@psg.com>
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Paolo Pisati <piso@freebsd.org>
References: <4708D2EE.4010405@psg.com> <4709D44E.5050305@psg.com>
	<4709D647.1050803@yandex.ru> <20071008082256.GA9098@tin.it>
	<470A107C.9000509@psg.com> <20071008222742.GC10716@tin.it>
In-Reply-To: <20071008222742.GC10716@tin.it>
X-Enigmail-Version: 0.95.3
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: FreeBSD Net <freebsd-net@freebsd.org>,
	"Andrey V. Elsukov" <bu7cher@yandex.ru>
Subject: Re: ipfw nat befuddlement
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Oct 2007 22:48:51 -0000

> is your ruleset/config ok? can you post it?

appended, with one ip address obscured

> try to substitute the "nat 42 ip4 from any to any via vr0" rule with a 
> divert rule, and config & start natd: does it config work as expected?

i hope to try this later today

randy

--

# ipfw list
00100 deny log logamount 100 ip from any to any ipoptions ssrr,lsrr,rr
00200 allow ip from any to any via lo0
00300 deny log logamount 100 ip from 127.0.0.0/8 to any
00400 deny log logamount 100 ip from any to 127.0.0.0/8
00500 allow tcp from 147.42.0.666 to any dst-port 25
00600 allow tcp from any to 147.42.0.666 dst-port 25
00700 allow tcp from me to any dst-port 25
00800 allow tcp from any to me dst-port 25
00900 deny log logamount 100 tcp from any to any dst-port 25
01000 deny ip from any to me dst-port 113
01100 nat 42 ip4 from any to any via vr0
01200 allow ip from any to any
65535 deny ip from any to any