From owner-freebsd-ipfw@FreeBSD.ORG Mon Sep 20 20:12:40 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E23016A4D1 for ; Mon, 20 Sep 2004 20:12:40 +0000 (GMT) Received: from debug.ro (debug.ro [81.196.162.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F8C443D53 for ; Mon, 20 Sep 2004 20:12:39 +0000 (GMT) (envelope-from cristi@debug.ro) Received: from debug.ro (localhost.ro [127.0.0.1]) by debug.ro (8.13.1/8.13.1) with ESMTP id i8KKCbZ6059070; Mon, 20 Sep 2004 23:12:37 +0300 (EEST) (envelope-from cristi@debug.ro) Received: from localhost (cristi@localhost) by debug.ro (8.13.1/8.12.9/Submit) with ESMTP id i8KKCa7W059067; Mon, 20 Sep 2004 23:12:37 +0300 (EEST) (envelope-from cristi@debug.ro) Date: Mon, 20 Sep 2004 23:12:36 +0300 (EEST) From: Cristian Ursuleanu To: Jose Hidalgo Herrera In-Reply-To: <1095699476.14974.13.camel@jose.hostarica.net> Message-ID: <20040920230225.Y58694@debug.ro> References: <20040920084359.eei75hutjsgs88@.mailhost.wsf.at> <1095699476.14974.13.camel@jose.hostarica.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: Thomas Wolf cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw & natd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 20:12:40 -0000 you are wight! but, I do some tests and it seems to work only when: net.inet.ip.fw.one_pass=0 if net.inet.ip.fw.one_pass=0 then packets are reinjected into firewall , and when net.inet.ip.fw.one_pass=1 are not. I use: FreeBSD 4.10 STABLE , and ipfw1. "net.inet.ip.fw.one_pass: 1 Forces a single pass through the firewall. If set to 0, packets coming out of a pipe will be reinjected into the firewall starting with the rule after the matching one. " On Mon, 20 Sep 2004, Jose Hidalgo Herrera wrote: > You are right, but Tomas too!, > > what is missing here is: > # sysctl -w net.inet.ip.fw.one_pass=1 > > Use the divert first, with one_pass=1 the package will > be reinjected and the your fwd rule will work just fine. > > --- this will do > sysctl -w net.inet.ip.fw.one_pass=1 > > natd -p 8668 -interface rl0 > natd -p 8669 -interface rl1 > > ipfw add 1000 divert 8668 all from any to any rl0 > ipfw add 2000 divert 8669 all from any to any rl1 > ipfw add 2010 fwd 5.6.7.8 tcp from 10.0.0.0/24 to any 80 out recv ed0 > --- > -- > Jose Hidalgo > PGP: 15524480 > jose at hostarica.com > http://www.hostarica.com > > >