From owner-freebsd-net@FreeBSD.ORG Tue Mar 23 12:49:30 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C070616A4CE for ; Tue, 23 Mar 2004 12:49:30 -0800 (PST) Received: from mail.numachi.com (meisai.numachi.com [198.175.254.6]) by mx1.FreeBSD.org (Postfix) with SMTP id 7F7EA43D45 for ; Tue, 23 Mar 2004 12:49:28 -0800 (PST) (envelope-from reichert@numachi.com) Received: (qmail 89409 invoked from network); 23 Mar 2004 20:30:45 -0000 Received: from natto.numachi.com (198.175.254.216) by meisai.numachi.com with SMTP; 23 Mar 2004 20:30:45 -0000 Received: (qmail 65661 invoked by uid 1001); 23 Mar 2004 20:30:45 -0000 Date: Tue, 23 Mar 2004 15:30:45 -0500 From: Brian Reichert To: freebsd-net@freebsd.org Message-ID: <20040323203045.GI29783@numachi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.6i Subject: tricking myself w/ multihoming X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Mar 2004 20:49:30 -0000 I think I'm badly misunderstanding the interaction of ipfw and natd and routing in general. I have a multihomed box: rl0: flags=8943 mtu 1500 inet 198.175.254.11 netmask 0xffffff00 broadcast 198.175.254.255 inet 198.175.254.8 netmask 0xffffffff broadcast 198.175.254.8 ether 00:30:bd:21:e5:e9 media: Ethernet autoselect (100baseTX ) status: active rl1: flags=8843 mtu 1500 inet 24.147.155.114 netmask 0xfffff800 broadcast 255.255.255.255 ether 00:50:ba:8b:64:77 media: Ethernet autoselect (100baseTX ) status: active The rl1 interface has natd associated with it, and it behaves as expected. The default route is also on rl1: # netstat -rn | grep default default 24.147.152.1 UGSc 231 273474 rl1 So far, things are as I wanted, and they've been this way for years. I can get to this box from my LAN just fine, and NAT works just fine, and any TCP tunnels on rl1 I've opened up work fine. I've gotten it in my head that I want to run a mail server on this box, publically available via either interface via 198.175.254.8. I've modified my firewall rules on this box slightly: 00040 fwd 198.175.254.1 tcp from 198.175.254.8 to any 25 00050 divert 8668 ip from any to any via rl1 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any (198.175.254.1 is my gateway for the public block.) This setup lets outgoing SMTP transactions go out my public block. But, seemingly, it does not allow incoming SMTP sessions to occur. Tcpdump on this box shows me the incoming packets coming to 198.175.254.8, but I'm not seeing these replies to these packets going out at all, much less to 198.175.254.1. Does anyone have any pointers? Do I need to run the mail server in a jail with a separate default route? Is there some other trick I could/should be considering? -- Brian Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA BSD admin/developer at large