Date: Tue, 14 Mar 2006 09:06:37 +0600 From: Vladimir Grigor <xvga@mail.ru> To: Dennis Olvany <dennisolvany@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re[2]: ipfw2(stateful)+divert; why divert rule is ignored? Message-ID: <1053991119.20060314090637@mail.ru> In-Reply-To: <4415CD14.9070000@gmail.com> References: <1438179712.20060310114356@mail.ru> <1014435727.20060313174344@mail.ru> <4415CD14.9070000@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Thanks to all, now the problem is solved. Tuesday, March 14, 2006, 1:50:44 AM, Dennis wrote: >> Regular NAT is working properly, but I can't configure NAPT to >> services on server in LAN.... DO> You mean port forwarding? Yep >> 03800 0 0 divert 6893 log logamount 100 tcp from >> 192.168.0.1 80 to any out via tun0 DO> Possibly traffic has already been translated at this point? Trick is that I used 'count' rule to identify corresponding traffic. I've replaced that 'divert' rule with 'count' rule - nothing no traffic on that rule. Then just to try I've put 'count' rule 10 rules before not-working divert rule, and surprisingly 'count' rule found traffic! I need to say those 10 rules are indifferent to corresponding traffic. So I just moved divert rules to earlier place in ruleset and it works. This weird behavior of ipfw seems to me like ... weird at least :) >> 04700 25 1554 divert 6893 log logamount 100 tcp from any to >> 212.42.xxx.xxx dst-port 80 in via tun0 DO> Why multiple diverts? Because I have several services in LAN to offer www users >> 05000 150 6816 allow log logamount 100 tcp from any to 192.168.0.1 >> dst-port 80 in via tun0 setup keep-state DO> I believe you'll find setup keep-state incompatible with natd. surprisingly - it works! -- Best regards, Vladimir mailto:xvga@mail.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1053991119.20060314090637>