Date: Mon, 04 Mar 2002 23:09:40 -0300 From: Luiz Morte da Costa Jr <morte@dsee.fee.unicamp.br> To: "Crist J. Clark" <cjc@FreeBSD.ORG> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: ipfw problem Message-ID: <5.1.0.14.0.20020304230504.00bbffc0@127.0.0.1> In-Reply-To: <20020302110637.F66092@blossom.cjclark.org> References: <30575.200.208.15.217.1014995951.squirrel@tucunare.fee.unicamp.br> <30575.200.208.15.217.1014995951.squirrel@tucunare.fee.unicamp.br>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Crist, IT'S WORK :)))))))) My mistake was just what you said, about 3 and 4 rules. Thank you very much for your attention. Luiz Morte. At 11:06 2/3/2002 -0800, Crist J. Clark wrote: >On Fri, Mar 01, 2002 at 12:19:11PM -0300, Luiz Morte da Costa Jr wrote: > > > > Hi all, > > > > I don=B4t know if this is possible, but ... : > >Anything is possible. > > > I=B4ve instaled a FreeBSD 4.4 in a hardware with 3 nic. I=B4ve= configured: > > > > nic fxp0: a.b.c.d -> Internet link, with a valid IP > > nic fxp1: e.f.g.h -> Internet link, with a valid IP > > nic fxp2: 10.10.10.1 -> Internal link, with a NO valid IP > > > > My default router is a.b.c.29 (the same fxp0 IP Class) > > > > I=B4m using ipfx+nat and the ideia is: > > http protocol: out/in via fxp1 > > others protocols: out/in via fxp0 > >OK. Whatever you want. > > > - I starting nat, like this: > > natd (8668) in a fxp0 nic and > > natd2 (8669) in a fxp1 nic > >These are just run like 'natd -n fxp[01]' with no additional options? > > > - I=B4ve used the rules bellow: > > add 001 divert 8669 tcp from any to any 80 > > add 002 divert 8669 tcp from any 80 to any > > add 003 fwd e.f.g.h tcp from any to any 80 via fxp1 (fxp1 IP Class) > > add 004 fwd e.f.g.h tcp from any 80 to any via fxp1 (fxp1 IP Class) > > add 005 skipto 020 tcp from any to any 80 > > add 006 skipto 020 tcp from any 80 to any > > add 010 divert 8668 all from any to any > > add 020 allow log all from any to any > > > > > > - logs: > > Feb 17 11:45:15 fw /kernel: ipfw: 020 Accept 10.10.10.130:1133 > > 209.73.180.8:80 in via fxp2 > > (fazendo acesso ao altavista de uma maquina da rede interna:= 10.10.10.130) > > > > Feb 17 11:45:15 fw /kernel: ipfw: 020 Accept e.f.g.h:1133= 209.73.180.8:80 > > out via fxp0 > > > > > > > > I think the NAT is working fine (logs), but all the internet traffic is > > passing through fxp0. I have a routing problem and I don=B4t if I can= fix > > it. In another words, only the http protocol pass through fxp1 and= others > > protocols pass through fxp0. > >Your 3 and 4 rules do not mean what you seem to think they mean. Rule >3 is saying, forward to e.f.g.h any packet that is crossing interface >fxp1 destined to port 80. That is, the 'via fxp1' means the packet >must be already crossing that interface to match the rule. Plus, you >really don't want to be 'fwd'ing the packets to the local >machine. That means the local machine processes them as if they were >destined for itself. > >What you want to do is, > > add 003 fwd e.f.g.i tcp from e.f.g.h to any 80 out > >Where e.f.g.i is the gateway off of e.f.g.h. At least, if that whole >mess works at all, this rule will kick those packets out of the other >link. >-- >Crist J. Clark | cjclark@alum.mit.edu > | cjclark@jhu.edu >http://people.freebsd.org/~cjc/ | cjc@freebsd.org > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-ipfw" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20020304230504.00bbffc0>