From owner-freebsd-questions@FreeBSD.ORG Thu Apr 22 12:17:39 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAB3216A4CE for ; Thu, 22 Apr 2004 12:17:39 -0700 (PDT) Received: from darkstar.wavenet.com.br (darkstar.wavenet.com.br [200.157.23.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5AD2843D1F for ; Thu, 22 Apr 2004 12:17:37 -0700 (PDT) (envelope-from marcelo@wavenet.com.br) Received: from Laptop (galileu.wavenet.com.br [200.157.23.1]) i3MILcG3093907 for ; Thu, 22 Apr 2004 15:21:38 -0300 (BRT) From: "Marcelo Pinheiro" To: Date: Thu, 22 Apr 2004 16:25:53 -0300 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <20040422190101.B04F216A4CE@hub.freebsd.org> X-Virus-Scanned: by amavisd-new Subject: Dummynet+Firewall+One_pass question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Apr 2004 19:17:39 -0000 Hi, I am very new to FreeBSD, and I have a quite simple question: How does IPFW work when I use PIPES, divert and some other Firewall rules? What does net.inet.ip.fw.one_pass mean? For instance, if I use a pipe before a divert with one_pass set to 1, the packet passes through the pipe, but does not pass through the divert and that makes total sense. However if I set one_pass to 1 and set the pipe after the divert using the internal IP address ( RFC 1918 ) it works.... that does not make any sense, at least to me. :) Here are some sample rules: # INTERNAL NETWORK ${fwcmd} pipe 1000 config bw 1024Kbit/s ${fwcmd} pipe 1001 config bw 1024Kbit/s ${fwcmd} add divert natd all from 10.0.0.0/8 to any ${fwcmd} add divert natd all from any to 200.x.x.x ${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any ${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8 If I set the way above, it works fine, even if the one_pass is set to 1 ( one ). The divert changes the packet header to my external IP, and my real question is: How in the world the pipe works if the header is changed to 200, instead of 10? THIS WAY IT DOES NOT WORK WITH ONE_PASS SET TO 1, it passes through the pipe, but does not pass through the divert: # INTERNAL NETWORK ${fwcmd} pipe 1000 config bw 1024Kbit/s ${fwcmd} pipe 1001 config bw 1024Kbit/s ${fwcmd} add pipe 1038 ip from 10.0.0.0/8 to any ${fwcmd} add pipe 1039 ip from any to 10.0.0.0/8 ${fwcmd} add divert natd all from 10.0.0.0/8 to any ${fwcmd} add divert natd all from any to 200.x.x.x I deeply appreciate any ideas. Sincerely, Marcelo Pinheiro --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.664 / Virus Database: 427 - Release Date: 21/4/2004