From owner-freebsd-stable Sun Jan 28 13:20:44 2001 Delivered-To: freebsd-stable@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 0983837B400 for ; Sun, 28 Jan 2001 13:20:27 -0800 (PST) Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 28 Jan 2001 13:18:35 -0800 Received: (from cjc@localhost) by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f0SLKYm90711; Sun, 28 Jan 2001 13:20:34 -0800 (PST) (envelope-from cjc) Date: Sun, 28 Jan 2001 13:20:28 -0800 From: "Crist J. Clark" To: Kal Torak Cc: FreeBSD-stable Subject: Re: ipfw forwarding (more info) Message-ID: <20010128132028.W10761@rfx-216-196-73-168.users.reflex> Reply-To: cjclark@alum.mit.edu References: <3A72CB47.7A5DD83@quake.com.au> <20010127220257.B28504@nevermind.kiev.ua> <3A732BE9.F559820D@quake.com.au> <3A732EFB.E7E743BA@quake.com.au> <20010127170621.M10761@rfx-216-196-73-168.users.reflex> <3A7411CF.816DA573@quake.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A7411CF.816DA573@quake.com.au>; from kaltorak@quake.com.au on Sun, Jan 28, 2001 at 11:34:23PM +1100 Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, Jan 28, 2001 at 11:34:23PM +1100, Kal Torak wrote: > > > After some more fiddling around, I have noticed that the ipfw rule is > > > hit, but nothing seems to happen... The data just continues on to the > > > local port instead of being forwarded to the remote one... > > > > Are you sure? Please try, > > > > # tcpdump -i -en port 27015 > > > > On each interface that would be involved. > > > > > Maybe I am missing something that needs to be loaded for this to work? > > > > No, forwarding is all in the kernel (or KLD module). > > > > But I suspect you really don't want to forward packets, but actually > > want to do NAT. > > Yeah using the redirect_port option in natd works, but I dont understand > why it doesnt work with ipfw... I thought natd might be stopping, but even > having the fwd rule before the divert to natd rule doesnt change anything.. > Dose ipfw fwd even work to remote machines? Yes, it works. No, it does not work how you want it to. The 'fwd' directive does exactly what it says, it forwards a packet to some location. What it does NOT do is change the packet in any way. That is, when you forward a packet to another machine, the packet arrives at the next machine (or next hop on the way there) with the destination IP address unchanged from the original packet. I doubt the machine you are sending this to does anything with a packet not addressed to it. > It would be better to do this with ipfw, ipfw(8) does not do NAT. Besides the fact you want the 'fwd' rule to actually rewrite the packet, what happens to the return traffic? Where is the rule to change addresses back? You need to maintain a state table of all of the NAT'ed connections. There is a reason FreeBSD chose the path of doing NAT in userspace. > since you can add rules on the fly, > but with natd you need to kill it to change those settings... But how often are you changing these things? > Would ipf be > better maybe? See ipnat(1,5). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message