From owner-freebsd-ipfw Thu Aug 29 14: 5: 6 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86F9A37B400 for ; Thu, 29 Aug 2002 14:05:04 -0700 (PDT) Received: from skywalker.rogness.net (skywalker.rogness.net [64.251.173.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id A946A43E6A for ; Thu, 29 Aug 2002 14:05:03 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by skywalker.rogness.net (8.11.3/8.11.3) with ESMTP id g7TKxWm42147; Thu, 29 Aug 2002 14:59:32 -0600 (MDT) (envelope-from nick@rogness.net) Date: Thu, 29 Aug 2002 14:59:28 -0600 (MDT) From: Nick Rogness To: cjclark@alum.mit.edu Cc: John Resnier , Subject: Re: Policy routing using IPFW for multiple ISP's In-Reply-To: <20020829144219.G41479-100000@skywalker.rogness.net> Message-ID: <20020829145520.H41479-100000@skywalker.rogness.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 29 Aug 2002, Nick Rogness wrote: > On Thu, 29 Aug 2002, Crist J. Clark wrote: > > > > > > > > > That's the problem, it won't. When the packet hit the 'fwd' rule above, > > > > it is accepted by the firewall and queued up on rl0. It doesn't continue > > > > through or start again through the rules with the new interface. > > > > > > Did this change? I swear this used to work at one time. > > > Either way he can still use: > > > > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 out recv fxp0 xmit ed0 > > > > > > I believe that should work. > > > > This made me think. I don't think this used to work, but you should be > > able to do this now. > > > > In the past, you could only 'fwd' outgoing packets. That won't work here > > since once the packets hit the 'fwd' they are out of the firewall rules, > > out the speficied interface, and on the wire before they can ever be > > processed by a natd(8) handling packets crossing the other interface. > > > > But now that we can use 'fwd' on incoming packets, you should be able > > to do this. However, you'd need to change the above rule to, > > > > fwd 199.185.xx.xx tcp from any to 66.25.xx.0/24 80 in via fxp0 > > > > Now, the packets are routed out the other interface _AND_ go through the > > ipfw(8) rules on that interface. That means that they will go to the > > natd(8) watching the other interface. > > Haven't tried this technique since it's been added. I do know, > however, that the 'out recv fxp0 xmit ed0' thing DOES work as I > have been using that for a while to interoperate with a squid > proxy box. I'll look at the 'in via fxp0' fwd stuff to see if it > works and report my findings. I take this comment back. I'm not sure it it will traverse the ipfw rules on the second interface as I'm running a variation on this. Sorry for the wasted arguement. I'm stupid and I have a small penis. Nick Rogness - WARNING TO ALL PERSONNEL: Firings will continue until morale improves. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message