From owner-freebsd-security@FreeBSD.ORG Thu Apr 15 14:22:42 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A63BD16A4CE for ; Thu, 15 Apr 2004 14:22:42 -0700 (PDT) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C62743D4C for ; Thu, 15 Apr 2004 14:22:42 -0700 (PDT) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.9/8.12.5) with ESMTP id i3FLMfdT026882; Thu, 15 Apr 2004 15:22:41 -0600 (MDT) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.9/8.12.5/Submit) id i3FLMfdb026881; Thu, 15 Apr 2004 15:22:41 -0600 (MDT) Date: Thu, 15 Apr 2004 15:22:41 -0600 From: "David G. Andersen" To: Stephen Gill Message-ID: <20040415152241.A26751@cs.utah.edu> References: <20040415203157.44002.qmail@web60708.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20040415203157.44002.qmail@web60708.mail.yahoo.com>; from gillsr@yahoo.com on Thu, Apr 15, 2004 at 01:31:57PM -0700 cc: freebsd-security@freebsd.org Subject: Re: Policy routing with IPFW X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 Apr 2004 21:22:42 -0000 Stephen Gill just mooed: > following: > > - All traffic sourced from Interface 1 (dc0) should go out gateway 1 > - All traffic sourced from Interface 2 (dc1) should go out gateway 2 > - All traffic destined to Interface 1 (dc0) should return out gateway 1 > - All traffic destined to Interface 2 (dc1) should return out gateway 2 > > Gateway 1 is on dc0 and Gateway 2 is on dc1. I think you get the > picture. > > Is this type of thing possible with IPFW? If not, is there any other > module that would allow me to do this? I don't care how ugly it gets, > just so long as it works. sure. options IPFIREWALL options IPFIREWALL_FORWARD As an example from a running system: 00100 allow ip from any to any via lo0 00500 allow ip from IP1 to IP1/IP1-netmask 00501 fwd IP1-GW ip from IP1 to any 00600 allow ip from IP2 to IP2/IP2-netmask 00601 fwd IP2-GW ip from IP2 to any (where IP1-GW and IP2-GW are the next-hop routers for each interface, obviously). Works like a charm - I've got it running on quite a few machines. The only downside to it sometimes is that you have to write some script wrappers around things to get dynamic updates (e.g., ppp linkup scripts or dhcpd.conf running external scripts on route changes). -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me.