From owner-freebsd-questions  Tue Jun 12  7:40:40 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from freeze.org (www.stelesys.com [208.177.187.226])
	by hub.freebsd.org (Postfix) with ESMTP id C210A37B407
	for <questions@FreeBSD.ORG>; Tue, 12 Jun 2001 07:40:31 -0700 (PDT)
	(envelope-from jim@freeze.org)
Received: (from jim@localhost)
	by freeze.org (8.11.3/8.11.2) id f5CEdUN49695;
	Tue, 12 Jun 2001 10:39:30 -0400 (EDT)
	(envelope-from jim)
X-Authentication-Warning: www.stelesys.com: Processed from queue /var/spool/alt_queue
X-Authentication-Warning: www.stelesys.com: Processed by jim with -C /web/siteinfo/freeze/mail/sendmail.cf
Date: Tue, 12 Jun 2001 10:39:30 -0400 (EDT)
From: Jim Freeze <jim@freeze.org>
X-X-Sender:  <jim@www.stelesys.com>
To: "Patrick O'Reilly" <patrick@mip.co.za>
Cc: <questions@FreeBSD.ORG>
Subject: RE: Need help with meaning of divert
In-Reply-To: <NDBBIMKICMDGDMNOOCAIGEIACLAA.patrick@mip.co.za>
Message-ID: <Pine.BSF.4.32.0106121030460.39601-100000@www.stelesys.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Thanks Patrick for the wonderful explanation.

On Tue, 12 Jun 2001, Patrick O'Reilly wrote:

> Basically, what happens when a TCP/IP packet hits an interface is the kernel
> first runs it through your ipfw rules in numeric sequence.  When it hits the
> divert rule the packet will be processed by NATD which will substitute the
> private internal IP with the public external IP of the interface (the IP
> associated with interface 'vx0' in your case).  The packet is then
> re-injected into the ipfw ruleset right after the divert rule.  Other
> translations might happen if natd has been given redirect_port or
> redirect_address directives.
>
> To illustrate, consider this example: your web server is on private IP
> 10.10.10.10, but your firewall's public IP is 24.9.218.175.  There will

How do I know what address will be used for the private IP? I assume that
it can be any of 192.168.x.x or 10.x.x.x?


> Try '# grep divert /etc/* ' to help find it...

/etc/protocols:divert   254     DIVERT          # Divert pseudo-protocol
/etc/rc.firewall:# minus any divert rules (see natd(8)).
/etc/rc.firewall:        $fwcmd add divert natd all from any to any via
${natd_interface}
/etc/rc.firewall.open:$fwcmd add divert natd all from any to any via
${natd_interface}
/etc/rc.network:            echo -n 'Firewall rules loaded, starting
divert daemons:'
/etc/services:natd              8668/divert # Network Address Translation

> Hope this helps a bit.

Yes, thanks


=========================================================
Jim Freeze
jim@freeze.org
---------------------------------------------------------
No comment at this time.
http://www.freeze.org
=========================================================


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message