Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 16 Jul 2009 12:12:34 +0200
From:      Kim Attree <kim.attree@playsafesa.com>
To:        Kim Attree <kim.attree@playsafesa.com>
Cc:        "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>
Subject:   RE: Problem with source based policy routing
Message-ID:  <00265389C30B444288C246DF37651D0C37970A1028@server-02.playsafesa.com>
In-Reply-To: <00265389C30B444288C246DF37651D0C37698F395A@server-02.playsafesa.com>
References:  <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> <E5834FA3-2CC4-4192-9A26-0C4914B782A2@humph.com> <00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com> <D99BAF63-5F9C-49BC-AE5B-2652B1F6BDC7@humph.com> <00265389C30B444288C246DF37651D0C37698F395A@server-02.playsafesa.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> -----Original Message-----
> From: owner-freebsd-ipfw@freebsd.org [mailto:owner-freebsd-
> ipfw@freebsd.org] On Behalf Of Kim Attree
> Sent: 07 July 2009 09:21 AM
> To: Giuliano Gavazzi
> Cc: freebsd-ipfw@freebsd.org
> Subject: RE: Problem with source based policy routing
>=20
> > -----Original Message-----
> > From: Giuliano Gavazzi [mailto:dev+lists@humph.com]
> > Sent: 06 July 2009 06:54 PM
> > To: Kim Attree
> > Cc: freebsd-ipfw@freebsd.org
> > Subject: Re: Problem with source based policy routing
> >
> >
> > On M 6 Jul, 2009, at 15:35 , Kim Attree wrote:
> >
> > > I have one Internal Exchange server (don't laugh), and NAT handles
> > > the static mapping of IP/Port to that server. The original point
> > > here is to have two mapped NAT port 25's to the same internal Mail
> > > server, hence the addition of the NAT before and during the forward
> > > logic (obviously wrong though).
> > >
> >
> >
> > ah, if you want to have an internal server to be reachable on both
> > public addresses, via the corresponding two firewall interfaces, you
> > must have a way to tell the firewall how to distinguish the return
> > packets in order to use the correct natd instance. If the internal
> > exchange server port is the same, there is no way telling that. At
> > most you could use the peer port, but even that would not be
> > failproof, and I would not know how to proceed (I think dynamic rules
> > can only establish holes - allow action - in the firewall, not a fwd
> > action). So you must use two different ports or alias addresses on
> the
> > exchange server, and divert to the appropriate outgoing natd instance
> > on the basis of that.
> >
> > I have not enough time at the moment to write down a complete
> > workflow, but I hope this, with the remarks in my previous post,
> gives
> > you enough hints.
>=20
> It has, I realised that the return traffic needs differing source IP's
> - I've added another IP and SMTP Connector to exchange and will test
> the theory out today.

SUCCESS !!!!!

I setup the Microsoft server to have a second SMTP connector on 10.0.0.2:58=
8

NATD setup as follows:

<snip>
port 8669
alias_address 192.168.2.1

same_ports yes
use_sockets yes
log_ipfw_denied yes

redirect_port tcp 10.0.0.2:588 192.168.2.1:25
</snip>

Then, in IPFW:

(Making sure packets hit the NAT first...:)

<snip>
add 00079 divert 8669 all from any to any via re1             =20

add 00080 skipto 00082 all from 10.0.0.2 to 10.0.0.0/20
add 00080 skipto 00082 all from not 10.0.0.2 to any
add 00081 fwd 192.168.2.254 all from 10.0.0.2 to any
</snip>

And a quick test from an outside server 12000 miles away:

<snip>
[root@bubbles ~]# telnet 192.168.2.1 25
Trying 192.168.2.1...
Connected to 192.168.2.1.
Escape character is '^]'.
220 xxx.xxx.com Microsoft ESMTP MAIL Service ready at Thu, 16 Jul 2009 12:1=
0:51 +0200
quit
221 2.0.0 Service closing transmission channel
Connection closed by foreign host.
</snip>

Thanks again Giuliano !!!

Kim Attree

>=20
>=20
> >
> > Giuliano
>=20
> Thanks,
>=20
> Kim
> _______________________________________________
> freebsd-ipfw@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?00265389C30B444288C246DF37651D0C37970A1028>