Date: Tue, 12 Jun 2001 09:37:06 +0200 From: "Patrick O'Reilly" <patrick@mip.co.za> To: "Jim Freeze" <jim@freeze.org>, <questions@FreeBSD.ORG> Subject: RE: Need help with meaning of divert Message-ID: <NDBBIMKICMDGDMNOOCAIGEIACLAA.patrick@mip.co.za> In-Reply-To: <Pine.BSF.4.32.0106111212231.22484-100000@www.stelesys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Jim, the DIVERT rule is the rule that "integrates" the ipfw ruleset to NATD. Basically, what happens when a TCP/IP packet hits an interface is the kernel first runs it through your ipfw rules in numeric sequence. When it hits the divert rule the packet will be processed by NATD which will substitute the private internal IP with the public external IP of the interface (the IP associated with interface 'vx0' in your case). The packet is then re-injected into the ipfw ruleset right after the divert rule. Other translations might happen if natd has been given redirect_port or redirect_address directives. Constructing ipfw rules around natd can be hairy if you have some before and some after the divert. If possible you should have all (or MOST) of your rules after the divert rule to ensure that you get consistent NAT happening. To illustrate, consider this example: your web server is on private IP 10.10.10.10, but your firewall's public IP is 24.9.218.175. There will probably be a "redirect_port" directive to natd so that it knows to redirect connections to port 80 to the correct internal address of 10.10.10.10. 1) A packet from the outside world : FROM x.x.x.x TO 24.9.218.175:80 2) ??? 3) Divert rule translates the packet : FROM x.x.x.x TO 10.10.10.10:80 4) ??? Now, depending on whether you want the IP to be translated by NAT, you should have your ipfw allow rule at position (2) allowing traffic to 24.9.218.175 itself, OR at position (4) allowing traffic to 10.10.10.10 on your private network. If you had your rule at position (4) allowing traffic to 24.9.218.175, that would not work because the packet has already been translated to 10.10.10.10 by the time the rules in postion (4) are evaluated, so the rule would not match the packet header. As to why the divert rule is magically appearing at position 100, I can only guess that this might be because it is the first rule added during startup of the system, and no rule number is specified. I seem to recall that man ipfw says that when a rule is added with no number specified, it will automatiaclly take 'the last rule number' + 100. Have a look through /etc/rc and /etc/rc.firewall to see where the 'ipfw add divert ...' rule happens, and change it to 'ipfw add # divert ....' (substitute the number you want for the #). Try '# grep divert /etc/* ' to help find it... Hope this helps a bit. Patrick. -----Original Message----- From: owner-freebsd-questions@FreeBSD.ORG [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Jim Freeze Sent: 11 June 2001 18:25 To: questions@FreeBSD.ORG Subject: Need help with meaning of divert Hi: I have a firewall using natd. When I list the rules, I get a rule 0100 divert: # ipfw list [...snipped] 00050 allow tcp from any to 24.9.218.175 80 setup 00100 divert 8668 ip from any to any via vx0 00150 allow ip from any to any via lo0 [...snipped] In /etc/rc.firewall I have the rules 0050 and 00150, but 0100 is added by default (ie, it is not in /etc/rc.firewall) Can someone explain to me what this rule does? Also, I copied my original rule set from mostgraveconcern but found that some of the rules did not work because they came after rule 100. So, for example, I had to put allow tcp from any to 24.9.218.175 80 setup at 0050 for my webserver to work. I had to do the same with ssh, cvs and mail. This raises three issues: 1) It gets kind of crowded below 100 2) How does one move divert to a higher number 3) What rules need to be before divert Any insight is greatly appreciated. ========================================================= Jim Freeze jim@freeze.org --------------------------------------------------------- No comment at this time. http://www.freeze.org ========================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NDBBIMKICMDGDMNOOCAIGEIACLAA.patrick>