Date: Thu, 20 Aug 1998 10:25:28 -0700 (PDT) From: Julian Elischer <julian@whistle.com> To: Matthew Spiers <matt@pavilion.net> Cc: questions@FreeBSD.ORG Subject: Re: ipfw with adress translation and ipltd Message-ID: <Pine.BSF.3.95.980820102002.12047A-100000@current1.whistle.com> In-Reply-To: <19980820150250.A23813@pavilion.net>
next in thread | previous in thread | raw e-mail | index | archive | help
If you are running 2.2.x then only one divert rule will work as you expect.. you need to compile the kernel with IPFW_DIVERT_RESTART this changes the semantics so that multiple diverts are possible. that change in semantics is that after diversion and reinjection, the packet restarts the firewall AFTER the rule# that caused the diversion.. the old semantics were that the reinjected packet restarted teh firewall at the beginning and skips the rule that caused the diversion. The problem with the old semantic is that you could only remember one diversion, so if you had 2 diverts you would loop forever between them. in -current the new semantic is the default. On Thu, 20 Aug 1998, Matthew Spiers wrote: > At present we are now running ipfw on a BSD box to do routing, with a divert > rule to ipltd which enables us to bandwidth restrict the subnets. > We are considering using adress translation as we'd like to conserve IP > space. Our understanding is that we will need another divert rule > to natd. The man ipfw states ' If a packet matches more than one divert > and/or tee rule, all but the last are ignored.' > > Now we are concerned that this might mean only one divert is possible - > or does it mean diverts to a specific port are only allowed once (loop > avoidance)? > Or if we natd first, will the 'altered' IP allow us to have another divert > rule as it's a 'different' IP passing through the ipfw rules? > > Anyone have any thoughts/information on this subject? > > Regards, > > Matt > Pavilion Internet plc. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.980820102002.12047A-100000>