Date: Tue, 7 Jul 2009 09:20:30 +0200 From: Kim Attree <kim.attree@playsafesa.com> To: Giuliano Gavazzi <dev+lists@humph.com> Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org> Subject: RE: Problem with source based policy routing Message-ID: <00265389C30B444288C246DF37651D0C37698F395A@server-02.playsafesa.com> In-Reply-To: <D99BAF63-5F9C-49BC-AE5B-2652B1F6BDC7@humph.com> References: <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> <E5834FA3-2CC4-4192-9A26-0C4914B782A2@humph.com> <00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com> <D99BAF63-5F9C-49BC-AE5B-2652B1F6BDC7@humph.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: Giuliano Gavazzi [mailto:dev+lists@humph.com] > Sent: 06 July 2009 06:54 PM > To: Kim Attree > Cc: freebsd-ipfw@freebsd.org > Subject: Re: Problem with source based policy routing >=20 >=20 > On M 6 Jul, 2009, at 15:35 , Kim Attree wrote: >=20 > > I have one Internal Exchange server (don't laugh), and NAT handles > > the static mapping of IP/Port to that server. The original point > > here is to have two mapped NAT port 25's to the same internal Mail > > server, hence the addition of the NAT before and during the forward > > logic (obviously wrong though). > > >=20 >=20 > ah, if you want to have an internal server to be reachable on both > public addresses, via the corresponding two firewall interfaces, you > must have a way to tell the firewall how to distinguish the return > packets in order to use the correct natd instance. If the internal > exchange server port is the same, there is no way telling that. At > most you could use the peer port, but even that would not be > failproof, and I would not know how to proceed (I think dynamic rules > can only establish holes - allow action - in the firewall, not a fwd > action). So you must use two different ports or alias addresses on the > exchange server, and divert to the appropriate outgoing natd instance > on the basis of that. >=20 > I have not enough time at the moment to write down a complete > workflow, but I hope this, with the remarks in my previous post, gives > you enough hints. It has, I realised that the return traffic needs differing source IP's - I'= ve added another IP and SMTP Connector to exchange and will test the theory= out today. >=20 > Giuliano Thanks, Kim
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?00265389C30B444288C246DF37651D0C37698F395A>