From owner-freebsd-ipfw@FreeBSD.ORG  Wed Apr 16 17:20:43 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E091837B401
	for <freebsd-ipfw@freebsd.org>; Wed, 16 Apr 2003 17:20:43 -0700 (PDT)
Received: from spork.pantherdragon.org (spork.pantherdragon.org
	[206.29.168.146])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 54C8343F3F
	for <freebsd-ipfw@freebsd.org>; Wed, 16 Apr 2003 17:20:43 -0700 (PDT)
	(envelope-from dmp@pantherdragon.org)
Received: from sparx.techno.pagans (12-224-208-117.client.attbi.com
	[12.224.208.117])	by spork.pantherdragon.org (Postfix) with ESMTP
	id 80240FD92; Wed, 16 Apr 2003 17:20:39 -0700 (PDT)
Received: from speck.techno.pagans (speck.techno.pagans [172.21.42.2])
	by sparx.techno.pagans (Postfix) with SMTP
	id 77A0AA914; Wed, 16 Apr 2003 17:20:38 -0700 (PDT)
Date: Wed, 16 Apr 2003 17:20:31 -0700
From: Darren Pilgrim <dmp@pantherdragon.org>
To: <freebsd@code-space.com>
Message-Id: <20030416172031.5497fc18.dmp@pantherdragon.org>
In-Reply-To: <000001c30470$f9d63840$3401a8c0@neptune>
References: <20030416144035.1f7711e1.dmp@pantherdragon.org>
	<000001c30470$f9d63840$3401a8c0@neptune>
X-Mailer: Sylpheed version 0.8.9claws (GTK+ 1.2.10; i386-portbld-freebsd5.0)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
cc: freebsd-ipfw@freebsd.org
Subject: Re: IPFW/NATD: Client behind firewall connecting to server behind
 firewall AS IF it were really EXTERNAL
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2003 00:20:44 -0000

"C_Ahlers" <freebsd@code-space.com> wrote:

>Am i missing something? 
>
>if  do:
>
>{...)
>ipfw add divert natd all from any to any via $oif
>ipfw add fwd b.b.b.100,80 tcp from b.b.b.0/24 to a.a.a.15 80 in via $iif
>(...)
>
>And say, client b.b.b.57 attempts to connect to a.a.a.15:80 - the
>forward rule will send out AS IS to b.b.b.100:80 on the internal
>interface
>
>1) No NAT will occur because NAT is setup only on external interface

Correct.

>2) The packet's dest ipaddr is not changed: it is still a.a.a.15, and
>will not be routed to anything on b.b.b.0/24

The forarding behaviour is explained in ipfw(8).

>Do I need to NAT on $iif as well?

Probably, unless you don't need the webserver to answering from the address the
client expects it to.