From owner-freebsd-questions@FreeBSD.ORG  Thu Jul  3 10:53:52 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 38DC137B401
	for <freebsd-questions@freebsd.org>;
	Thu,  3 Jul 2003 10:53:52 -0700 (PDT)
Received: from hotmail.com (law10-f99.law10.hotmail.com [64.4.15.99])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B09D943FF2
	for <freebsd-questions@freebsd.org>;
	Thu,  3 Jul 2003 10:53:51 -0700 (PDT)
	(envelope-from bsf_40@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Thu, 3 Jul 2003 10:53:51 -0700
Received: from 64.1.192.61 by lw10fd.law10.hotmail.msn.com with HTTP;
	Thu, 03 Jul 2003 17:53:51 GMT
X-Originating-IP: [64.1.192.61]
X-Originating-Email: [bsf_40@hotmail.com]
From: "B Franks" <bsf_40@hotmail.com>
To: freebsd-questions@freebsd.org
Date: Thu, 03 Jul 2003 17:53:51 +0000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <Law10-F99qTnrrXj7gC00004144@hotmail.com>
X-OriginalArrivalTime: 03 Jul 2003 17:53:51.0407 (UTC)
	FILETIME=[0FDFFBF0:01C3418C]
Subject: ipfw/natd/divert question
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Jul 2003 17:53:52 -0000

I'd like to come up a ruleset that handles the following example.  Suppose I 
have a daemon listeing on port 2000 and I'd like outside clients to be able 
to communicate with the daemon by addressing traffic to port 2000 or port 
2001.  So,

suppose I have for my natd configuration:
  -redirect_port tcp 1.2.3.4:2000 1.2.3.4:2001

And then in my ipfw ruleset, if I use:
  add 100 divert natd tcp from any to 1.2.3.4 2001 in via rl0
  add 101 divert natd tcp from 1.2.3.4 2000 to any out via rl0

It seems that traffic coming in normally to 1.2.3.4:2000 would enter fine.  
And traffic coming into 1.2.3.4:2001 would be diverted to natd which would 
rewrite the destination port as 1.2.3.4:2000.  So far so good.  But my 
concern is with the 101 ipfw rule...wouldn't it always rewrite traffic 
leaving from 1.2.3.4:2000 as 1.2.3.4:2001?  In which case is there a way to 
distinguish the outbound divert to only take place if the traffic was 
initially diverted on the way in...some sort of divert keep-state?

Thanks for any help or explanations.

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail