Date: Thu, 29 Aug 2002 14:59:28 -0600 (MDT) From: Nick Rogness <nick@rogness.net> To: cjclark@alum.mit.edu Cc: John Resnier <john_resnier@yahoo.com>, <freebsd-ipfw@FreeBSD.ORG> Subject: Re: Policy routing using IPFW for multiple ISP's Message-ID: <20020829145520.H41479-100000@skywalker.rogness.net> In-Reply-To: <20020829144219.G41479-100000@skywalker.rogness.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 29 Aug 2002, Nick Rogness wrote: > On Thu, 29 Aug 2002, Crist J. Clark wrote: > > > > > > > > > That's the problem, it won't. When the packet hit the 'fwd' rule above, > > > > it is accepted by the firewall and queued up on rl0. It doesn't continue > > > > through or start again through the rules with the new interface. > > > > > > Did this change? I swear this used to work at one time. > > > Either way he can still use: > > > > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out recv fxp0 xmit ed0 > > > > > > I believe that should work. > > > > This made me think. I don't think this used to work, but you should be > > able to do this now. > > > > In the past, you could only 'fwd' outgoing packets. That won't work here > > since once the packets hit the 'fwd' they are out of the firewall rules, > > out the speficied interface, and on the wire before they can ever be > > processed by a natd(8) handling packets crossing the other interface. > > > > But now that we can use 'fwd' on incoming packets, you should be able > > to do this. However, you'd need to change the above rule to, > > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 in via fxp0 > > > > Now, the packets are routed out the other interface _AND_ go through the > > ipfw(8) rules on that interface. That means that they will go to the > > natd(8) watching the other interface. > > Haven't tried this technique since it's been added. I do know, > however, that the 'out recv fxp0 xmit ed0' thing DOES work as I > have been using that for a while to interoperate with a squid > proxy box. I'll look at the 'in via fxp0' fwd stuff to see if it > works and report my findings. I take this comment back. I'm not sure it it will traverse the ipfw rules on the second interface as I'm running a variation on this. Sorry for the wasted arguement. I'm stupid and I have a small penis. Nick Rogness <nick@rogness.net> - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020829145520.H41479-100000>