From owner-freebsd-questions@FreeBSD.ORG  Mon Jan  2 20:56:01 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 457F516A41F
	for <freebsd-questions@freebsd.org>;
	Mon,  2 Jan 2006 20:56:01 +0000 (GMT)
	(envelope-from gibblertron@gmail.com)
Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.207])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A394843D5C
	for <freebsd-questions@freebsd.org>;
	Mon,  2 Jan 2006 20:56:00 +0000 (GMT)
	(envelope-from gibblertron@gmail.com)
Received: by zproxy.gmail.com with SMTP id 13so2560874nzn
	for <freebsd-questions@freebsd.org>;
	Mon, 02 Jan 2006 12:56:00 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=QbZMXJaJT8NPwLTXJjEdaD8a4I/7uJBeXMeUzLNCX60g9+Z2odIU1KuYUItskhmqbhmxcOGDZtljLjp9S2lrtsYicwhpL5n3uQtR3kze8Sfo/OpX2AEoJoeAv6fGaesbnHgTPWUvTvwk2/AcY5CnrFb7GSOB73dVjkiAVZcZecQ=
Received: by 10.64.180.14 with SMTP id c14mr270095qbf;
	Mon, 02 Jan 2006 12:56:00 -0800 (PST)
Received: by 10.65.206.8 with HTTP; Mon, 2 Jan 2006 12:56:00 -0800 (PST)
Message-ID: <b043a4850601021256pd5af566ka58bc8f1d1a8c010@mail.gmail.com>
Date: Mon, 2 Jan 2006 12:56:00 -0800
From: patrick <gibblertron@gmail.com>
To: freebsd-questions@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Subject: ipfw divert with exception?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2006 20:56:01 -0000

I have a FreeBSD 6.0 machine acting as a router for our office. We use
natd for address translation, and I have rule like so:

ipfw add divert natd all from any to any via ${ext_if}

To allow incoming SSH access, I have a redirect_port line setup in my
/etc/natd.conf file, and while it works just fine, I don't like that
natd has to be running in order for me to SSH into the server.
(Because, if -- hypothetically of course -- one were to *cough*
accidentally kill the natd process without realizing this, then
*ahem*, one would be locked out remotely without any means of fixing
it. And I'd like to stress that this situation is indeed, uh,
hypothetical. ;) )

So, I'm sure there is a way for me to create some ipfw rules above the
divert line to accept incoming SSH traffic and not having it get
diverted, but I'm at a bit of a loss as to how I can achieve this. The
current rule I have above this does not do anything to stop the
traffic from being diverted:

ipfw add accept tcp from any to any 22 in via ${ext_if}

Any help or insight would be greatly appreciated.

Thanks,

Patrick