From owner-freebsd-questions@FreeBSD.ORG Wed Feb 25 07:04:13 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64F9816A4CE for ; Wed, 25 Feb 2004 07:04:13 -0800 (PST) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 360F543D2F for ; Wed, 25 Feb 2004 07:04:13 -0800 (PST) (envelope-from nkinkade@fastmail.fm) X-Sasl-enc: 6qQ+B36aFJ+ubdgx7NV0Zg 1077721267 Received: from [206.26.199.146] (unknown [206.27.244.214]) by www.fastmail.fm (Postfix) with ESMTP id CC3BF615E7E; Wed, 25 Feb 2004 10:01:06 -0500 (EST) Received: from nkinkade by [206.26.199.146] with local (Exim 4.12) id 1Aw0Wj-000EWL-00; Wed, 25 Feb 2004 09:00:45 -0600 Date: Wed, 25 Feb 2004 09:00:45 -0600 From: Nathan Kinkade To: Edison Cala Message-ID: <20040225150045.GE11671@nkinkade.bmp.ub> Mail-Followup-To: Edison Cala , freebsd-questions@freebsd.org References: <200402251719.AA14090702@sflu.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fQa200R4EO7jAQ6Z" Content-Disposition: inline In-Reply-To: <200402251719.AA14090702@sflu.com> User-Agent: Mutt/1.4.1i Sender: Nathan Kinkade cc: freebsd-questions@freebsd.org Subject: Re: port forwarding and ip-less firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Nathan Kinkade List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Feb 2004 15:04:13 -0000 --fQa200R4EO7jAQ6Z Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 25, 2004 at 05:19:35PM +0800, Edison Cala wrote: > hello list! >=20 > i want to ask some help on port forwarding in a bridge-firewall > network. >=20 > our network setup is: >=20 > 1. the router is outside the firewall, direct to the internet. > 2. the bridge-firewall computer (2 ethernet cards installed, eth0 - > outside (router), eth1 - protected network) is between the router and > the protected network. >=20 > all the servers are behind the firewall and only opened the allowed > ports. i have 2 mail servers (unit1.domain.com and unit2.domain.com) > running on the protected network, unit1.domain.com is just an smtp > relay for unit2.domain.com and its working fine. however, i want to > put a rule (port forward) in firewall to forward request destined to > unit2.domain.com (port 25), but that request should be first passed to > unit1.domain.com (for antispam processing) before unit2. unit1 should > then be the one to forward the request to unit2.domain.com. >=20 > why i want to do this is that, some mails are getting through and > received at unit2 without passing to unit1. in mx, unit1 is the 1st > prio and unit2 is 2nd prio only. >=20 > please help and give an idea on port forwarding rules between two > servers within the protected network. >=20 > thank you! >=20 > edison cala I think this would normally be handled using a 'fwd' rule (man ipfw), but the manpage specifically states: "A fwd rule will not match layer-2 packets (those received on ether_input, ether_output, or bridged)." So, I'm not sure how you could implement this when using ipfw on a bridged interface. Nathan --=20 gpg --keyserver pgp.mit.edu --recv-keys D8527E49 --fQa200R4EO7jAQ6Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQFAPLidO0ZIEthSfkkRAncOAKDdVPiGB2xDCGUEoMAtaaApCcY3GwCgxczH QLLL/CVeqKqELN8Vo6BRxa0= =0mgA -----END PGP SIGNATURE----- --fQa200R4EO7jAQ6Z--