Date: Wed, 8 Dec 1999 12:43:01 -0800 (PST) From: Julian Elischer <julian@whistle.com> To: Nick Rogness <nick@rapidnet.com> Cc: Ben WIlliams <williamsl@Home.Com>, freebsd-ipfw@FreeBSD.ORG Subject: Re: divert rules Message-ID: <Pine.BSF.4.10.9912081219510.23315-100000@current1.whistle.com> In-Reply-To: <Pine.BSF.4.05.9912081015260.41144-100000@rapidnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 8 Dec 1999, Nick Rogness wrote: > On Wed, 8 Dec 1999, Ben WIlliams wrote: > > [snip] > > However when playing with divert rules on my natd box whenever I had > > more than one divert rule -each- rule would be triggered. The effect > > this had was to have multiple replies sent to any request the inside > > boxes made. Is this the expected behaviour? (Doesn't seem that way to > > me...) The divert rules were all together if that has anything to do > > with it. You are confusing the behaviour of a single run through the ipfw code with the result of combining NATD and ipfw. the first run will finish when the packet is diverted. NATD then changes the packet and re-injects it back into the firewall at the rule number following that which diverted it. If it then hits another divert rule, that will be taken as well. It is possible to make teh rules NOT do this in 2 ways. NATD could be altered to inject the packet somewhere else in the ruleset, or you could add 2 rules to each divert rule.. 1000 divert ip from blah blah 1000 skipto 2000 <-------- packets not diverted will skip to 2000 1001 accept ip from any to any <------reinjected packets come here. julian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9912081219510.23315-100000>