From owner-freebsd-questions@FreeBSD.ORG Mon Jan 29 14:51:33 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B3F8716A403 for ; Mon, 29 Jan 2007 14:51:33 +0000 (UTC) (envelope-from cpratt@ptserv.net) Received: from ns2.ptserv.net (131.39.146.64.transedge.com [64.146.39.131]) by mx1.freebsd.org (Postfix) with ESMTP id 8178C13C494 for ; Mon, 29 Jan 2007 14:51:33 +0000 (UTC) (envelope-from cpratt@ptserv.net) Received: from [192.168.1.102] (dpc6747213086.direcpc.com [67.47.213.86]) (authenticated bits=0) by ns2.ptserv.net (8.13.8/8.13.8) with ESMTP id l0TEdFV6054142 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Mon, 29 Jan 2007 06:39:25 -0800 (PST) (envelope-from cpratt@ptserv.net) Mime-Version: 1.0 (Apple Message framework v752.3) Content-Transfer-Encoding: 7bit Message-Id: <30CEBFA6-45A9-4D82-92D9-1795DA47A14D@ptserv.net> Content-Type: text/plain; charset=US-ASCII; format=flowed To: freebsd-questions@freebsd.org From: Chris Date: Mon, 29 Jan 2007 06:34:06 -0800 X-Mailer: Apple Mail (2.752.3) X-PTS-MailScanner-Information: Please contact the ISP for more information X-PTS-MailScanner: Found to be clean X-PTS-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-1.44, required 5, autolearn=not spam, ALL_TRUSTED -1.44) X-PTS-MailScanner-From: cpratt@ptserv.net X-Spam-Status: No Subject: ipfw fwd command X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jan 2007 14:51:33 -0000 I'm hooking up a second T1 to a FreeBSD 6.2 apache webserver. It's use is to be extremely simplistic having no NAT, no load balancing nor even failover capabilities. I'd like for packets entering on either interface to leave on the interface the arrived on. From what I've read, this can be done by: 1. Compile and install kernel with IPFIREWALL_FORWARD 2. ifconfig the new additional ethernet card 3. modify apache Listen 4. add security and forwarding statements to ipfw The last step concerns me because ipfw's fwd command in man is not really discussed in detail to determine that this is what it's for. What I've read suggests that given: x.y.z.1 = new T1 Router gateway, new ISP x.y.z.2 = new IP for the server on new NIC a.b.c.1 = existing T1 Router gateway, current ISP a.b.c.2 = existing IP existing NIC (is defaultrouter) I should be able to put in: ipfw add fwd x.y.z.1 ip from x.y.z.2 to any The question is, will this actually allow packets arriving on the interface with x.y.z.2 to return back out that interface without impact to the existing configuration and routing? If so, should this command appear early in the rule list or following the security oriented rules for the new interface (e.g., after allowing port 80 in and established connections out)? I'm not subscribed to the list so please do reply to me also. Thank you, Chris -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.