From owner-freebsd-ipfw@FreeBSD.ORG  Mon Jul  6 16:53:47 2009
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4F6311065672
	for <freebsd-ipfw@freebsd.org>; Mon,  6 Jul 2009 16:53:47 +0000 (UTC)
	(envelope-from dev+lists@humph.com)
Received: from drum.humph.com (drum.humph.com [88.149.202.106])
	by mx1.freebsd.org (Postfix) with ESMTP id 0F4D18FC13
	for <freebsd-ipfw@freebsd.org>; Mon,  6 Jul 2009 16:53:46 +0000 (UTC)
	(envelope-from dev+lists@humph.com)
Received: from 88-149-183-86.static.ngi.it ([88.149.183.86] helo=b.boox.net)
	by drum.humph.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69)
	(envelope-from <dev+lists@humph.com>)
	id 1MNrRp-000MfJ-F4; Mon, 06 Jul 2009 18:53:45 +0200
Message-Id: <D99BAF63-5F9C-49BC-AE5B-2652B1F6BDC7@humph.com>
From: Giuliano Gavazzi <dev+lists@humph.com>
To: Kim Attree <kim.attree@playsafesa.com>
In-Reply-To: <00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Mon, 6 Jul 2009 18:53:44 +0200
References: <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com>
	<E5834FA3-2CC4-4192-9A26-0C4914B782A2@humph.com>
	<00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com>
X-Mailer: Apple Mail (2.935.3)
Cc: "freebsd-ipfw@freebsd.org" <freebsd-ipfw@freebsd.org>
Subject: Re: Problem with source based policy routing
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2009 16:53:47 -0000


On M 6 Jul, 2009, at 15:35 , Kim Attree wrote:

> I have one Internal Exchange server (don't laugh), and NAT handles  
> the static mapping of IP/Port to that server. The original point  
> here is to have two mapped NAT port 25's to the same internal Mail  
> server, hence the addition of the NAT before and during the forward  
> logic (obviously wrong though).
>


ah, if you want to have an internal server to be reachable on both  
public addresses, via the corresponding two firewall interfaces, you  
must have a way to tell the firewall how to distinguish the return  
packets in order to use the correct natd instance. If the internal  
exchange server port is the same, there is no way telling that. At  
most you could use the peer port, but even that would not be  
failproof, and I would not know how to proceed (I think dynamic rules  
can only establish holes - allow action - in the firewall, not a fwd  
action). So you must use two different ports or alias addresses on the  
exchange server, and divert to the appropriate outgoing natd instance  
on the basis of that.

I have not enough time at the moment to write down a complete  
workflow, but I hope this, with the remarks in my previous post, gives  
you enough hints.

Giuliano