From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 6 06:46:37 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3AFBA106566C for ; Mon, 6 Jul 2009 06:46:37 +0000 (UTC) (envelope-from freealson@gmail.com) Received: from mail-pz0-f193.google.com (mail-pz0-f193.google.com [209.85.222.193]) by mx1.freebsd.org (Postfix) with ESMTP id 0EEF18FC15 for ; Mon, 6 Jul 2009 06:46:36 +0000 (UTC) (envelope-from freealson@gmail.com) Received: by pzk31 with SMTP id 31so1957034pzk.3 for ; Sun, 05 Jul 2009 23:46:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type; bh=wnRX6G/XB+xe78ipfJbIVXL8aAnRIwqWKvWp24zwX5M=; b=crv8dWQikEuwr6dtbz++L5/kL0iARnRufRlJU9bvaBjo1Am/6eIP+R4MXxAdsm8VIB 1JsxCPiIjlECz0llZlbBAj3UTbjjsMfdcGwN+MEiUXlKrhPdDCKZmxV+FmstUIDzvETi Vc9sEMZJ6RlmAViyRV8ngCIsqyHinplqM/57U= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=fo7q1sNknbHd9x3BzQXJb+KVn9jtzbrEcd/5Mj/ztybmiKUUUVClM2BoUaLtq8jZsb l9ec+aNuLJMd5XzsuHcaiMCkDfiw71Nkmjw7wo/n8K/9SikXLm9SL1UM8nXWO+rTIk7q MlbMmtpVTKtUT8oo0yVISmcSXksI3dBxKzVZc= MIME-Version: 1.0 Received: by 10.142.49.20 with SMTP id w20mr1295786wfw.204.1246861418535; Sun, 05 Jul 2009 23:23:38 -0700 (PDT) In-Reply-To: <20090705120023.8845410656D4@hub.freebsd.org> References: <20090705120023.8845410656D4@hub.freebsd.org> Date: Mon, 6 Jul 2009 14:23:38 +0800 Message-ID: From: Alson Black To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: freebsd-ipfw Digest, Vol 323, Issue 4 X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 06:46:37 -0000 Nice message ever got... On Sun, Jul 5, 2009 at 8:00 PM, wrote: > Send freebsd-ipfw mailing list submissions to > freebsd-ipfw@freebsd.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > or, via email, send a message with subject or body 'help' to > freebsd-ipfw-request@freebsd.org > > You can reach the person managing the list at > freebsd-ipfw-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-ipfw digest..." > > > Today's Topics: > > 1. Reminder: Michael invited you to join Facebook... (Facebook) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 4 Jul 2009 14:25:14 -0700 > From: Facebook > Subject: Reminder: Michael invited you to join Facebook... > To: Ipfw > Message-ID: > Content-Type: text/plain; charset = "UTF-8" > > ======================================= > To sign up for Facebook, follow the link below: > > http://www.facebook.com/r.php?re=99d4e672e080ba96cc0d0e79dab01e38&mid=b9c5e8G41d79197G44b6a8G46 > ======================================= > > Hi Ipfw, > > The following person recently invited you to be their friend on Facebook: > > Michael Sierchio > > > Other people you may know on Facebook: > Lynn Strough (East Bay, CA) > Ishara Hudson (Santa Cruz, CA) > Ericka Lutz (East Bay, CA) > Gina Podesta > Danny Santos (Berkeley) > Helga Veideman (San Francisco, CA) > > > Facebook is a great place to keep in touch with friends, post photos, > videos and create events. But first you need to join! Sign up today to > create a profile and connect with the people you know. > > Thanks, > The Facebook Team > > To sign up for Facebook, follow the link below: > > http://www.facebook.com/r.php?re=99d4e672e080ba96cc0d0e79dab01e38&mid=b9c5e8G41d79197G44b6a8G46 > > ======================================= > This message was intended for ipfw@freebsd.org. If you do not wish to > receive this type of email from Facebook in the future, please click on the > link below to unsubscribe. > > http://www.facebook.com/o.php?c&k=86cbe6&u=1104646551&mid=b9c5e8G41d79197G44b6a8G46 > Facebook's offices are located at 1601 S. California Ave., Palo Alto, CA > 94304. > > > > ------------------------------ > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > End of freebsd-ipfw Digest, Vol 323, Issue 4 > ******************************************** > From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 6 08:35:39 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B234310656A6 for ; Mon, 6 Jul 2009 08:35:39 +0000 (UTC) (envelope-from kim.attree@playsafesa.com) Received: from exchange.playsafesa.com (exchange.playsafesa.com [196.212.35.153]) by mx1.freebsd.org (Postfix) with ESMTP id C6B4E8FC32 for ; Mon, 6 Jul 2009 08:35:38 +0000 (UTC) (envelope-from kim.attree@playsafesa.com) Received: from server-02.playsafesa.com ([10.0.15.253]) by server-02.playsafesa.com ([10.0.15.253]) with mapi; Mon, 6 Jul 2009 10:36:18 +0200 From: Kim Attree To: "freebsd-ipfw@freebsd.org" Date: Mon, 6 Jul 2009 10:36:18 +0200 Thread-Topic: Problem with source based policy routing Thread-Index: AQHJ/ZPw2ilYkcMByECGjLDcr+t9sZBoLhxQ Message-ID: <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: Problem with source based policy routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 08:35:40 -0000 Hey Guys, =20 I'm having a problem with source-based policy routing in IPFW, I'm trying t= o run a load-balanced SMTP System over two links. Primary link is re0, lets give it an ip of 192.168.1.1 Secondary link is re1, with an ip of 192.168.2.1 Default gateway for the box is 192.168.1.254 (so ALL outgoing traffic goes = out of re0, unless hardcoded into the routing table for destinations instea= d) Default gateway for re1 is 192.168.2.254 I want re1 to be able to accept SMTP, but respond to the originating IP ove= r the same link re1 (instead of the default gateway). With this in mind, I setup my NAT accordingly: port 8669 alias_address 192.168.2.1 same_ports yes use_sockets yes log_ipfw_denied yes redirect_port tcp 10.0.0.1:25 192.168.2.1:25 And the IPFW rules such: # NATD Statements add 00097 divert 8668 all from any to any via re0 add 00097 divert 8669 all from any to any via re1 # Testing incoming SMTP over re1 add 00098 skipto 00100 tcp from any to not 192.168.2.1 add 00099 fwd 192.168.2.254 tcp from any to any Tcpdump shows packets coming in: #>Tcpdump -n -i re1 port 25 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on re1, link-type EN10MB (Ethernet), capture size 96 bytes 11:15:41.594659 IP xxx.xxx.xxx.xxx.2097 > 192.168.2.1.25: S 842708044:84270= 8044(0) win 65535 11:15:44.596798 IP xxx.xxx.xxx.xxx.2097 > 192.168.2.1.25: S 842708044:84270= 8044(0) win 65535 11:15:50.617271 IP xxx.xxx.xxx.xxx.2097 > 192.168.2.1.25: S 842708044:84270= 8044(0) win 65535 ^C 3 packets captured 566 packets received by filter 0 packets dropped by kernel But nothing going out: What am I doing wrong ??? From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 6 11:07:00 2009 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EDB5C106566C for ; Mon, 6 Jul 2009 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DA0EF8FC27 for ; Mon, 6 Jul 2009 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n66B70fc010816 for ; Mon, 6 Jul 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n66B70oE010812 for freebsd-ipfw@FreeBSD.org; Mon, 6 Jul 2009 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 6 Jul 2009 11:07:00 GMT Message-Id: <200907061107.n66B70oE010812@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 11:07:01 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/135476 ipfw [ipfw] IPFW table breaks after adding a large number o o bin/134975 ipfw [patch] ipfw(8) can't work with set in rule file. o kern/132553 ipfw [ipfw] ipfw doesn't understand ftp-data port o kern/131817 ipfw [ipfw] blocks layer2 packets that should not be blocke o kern/131601 ipfw [ipfw] [panic] 7-STABLE panic in nat_finalise (tcp=0) o kern/131558 ipfw [ipfw] Inconsistent "via" ipfw behavior o bin/130132 ipfw [patch] ipfw(8): no way to get mask from ipfw pipe sho o kern/129103 ipfw [ipfw] IPFW check state does not work =( o kern/129093 ipfw [ipfw] ipfw nat must not drop packets o kern/129036 ipfw [ipfw] 'ipfw fwd' does not change outgoing interface n o kern/128260 ipfw [ipfw] [patch] ipfw_divert damages IPv6 packets o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o bin/117214 ipfw ipfw(8) fwd with IPv6 treats input as IPv4 o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw] [patch] unify message and add a rule number whe o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw] [patch] Addition actions with rules within spec o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 59 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 6 13:33:59 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A9CD1065673 for ; Mon, 6 Jul 2009 13:33:59 +0000 (UTC) (envelope-from dev+lists@humph.com) Received: from drum.humph.com (drum.humph.com [88.149.202.106]) by mx1.freebsd.org (Postfix) with ESMTP id 4B6178FC16 for ; Mon, 6 Jul 2009 13:33:59 +0000 (UTC) (envelope-from dev+lists@humph.com) Received: from 88-149-183-86.static.ngi.it ([88.149.183.86] helo=b.boox.net) by drum.humph.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1MNo0G-000Ld1-J5; Mon, 06 Jul 2009 15:13:04 +0200 Message-Id: From: Giuliano Gavazzi To: Kim Attree In-Reply-To: <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Date: Mon, 6 Jul 2009 15:13:03 +0200 References: <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> X-Mailer: Apple Mail (2.935.3) Cc: "freebsd-ipfw@freebsd.org" Subject: Re: Problem with source based policy routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 13:33:59 -0000 On M 6 Jul, 2009, at 10:36 , Kim Attree wrote: > > Hey Guys, > > > > I'm having a problem with source-based policy routing in IPFW, I'm > trying to run a load-balanced SMTP System over two links. > > Primary link is re0, lets give it an ip of 192.168.1.1 > Secondary link is re1, with an ip of 192.168.2.1 > > Default gateway for the box is 192.168.1.254 (so ALL outgoing > traffic goes out of re0, unless hardcoded into the routing table for > destinations instead) > Default gateway for re1 is 192.168.2.254 > > I want re1 to be able to accept SMTP, but respond to the originating > IP over the same link re1 (instead of the default gateway). > With this in mind, I setup my NAT accordingly: > > > port 8669 > alias_address 192.168.2.1 > same_ports yes > use_sockets yes > log_ipfw_denied yes > redirect_port tcp 10.0.0.1:25 192.168.2.1:25 > > > And the IPFW rules such: > > > # NATD Statements > add 00097 divert 8668 all from any to any via re0 > add 00097 divert 8669 all from any to any via re1 > why NAT? Unless you also want to spread outgoing traffic from internal hosts, presumably based on dest port or network, then NAT is of no use (except the one via re0 that is presumably used for internal hosts). Incoming packets don't need any rules as the gw 192.168.2.254 knows how to reach your host, you only need to fwd (that is to route) your outgoing packets according to the source. I have a similar setup (with also 2 NATs because I do use both gateways also for natted hosts). The fwd rule would be very early, just after the loopback rules, UNLESS you want to block outgoing traffic on some ports: add 50 fwd 192.168.2.254 src-ip 192.168.2.1 not dst-ip 192.168.2.1/24 That should do it. NOTE: if you also do NAT on that port (re1), then you need this also after the corresponding nat rule. But I urge you to distinguish between necessarily natted traffic (that is traffic coming from internal hosts) and traffic coming from the host itself, by using an alias on the same subnet (say 192.168.2.2) for the natted traffic. This way you avoid natting traffic that does not need it, and can easily distinguish between incoming traffic for your host (192.168.2.1) and for natted hosts (192.168.2.2). Giuliano From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 6 13:34:38 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D3998106564A for ; Mon, 6 Jul 2009 13:34:38 +0000 (UTC) (envelope-from kim.attree@playsafesa.com) Received: from exchange.playsafesa.com (exchange.playsafesa.com [196.212.35.153]) by mx1.freebsd.org (Postfix) with ESMTP id D779C8FC15 for ; Mon, 6 Jul 2009 13:34:37 +0000 (UTC) (envelope-from kim.attree@playsafesa.com) Received: from server-02.playsafesa.com ([10.0.15.253]) by server-02.playsafesa.com ([10.0.15.253]) with mapi; Mon, 6 Jul 2009 15:35:16 +0200 From: Kim Attree To: Giuliano Gavazzi Date: Mon, 6 Jul 2009 15:35:15 +0200 Thread-Topic: Problem with source based policy routing Thread-Index: Acn+O5j5zTffeilyT0mCLkyADOky1QAAgsOQ Message-ID: <00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com> References: <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "freebsd-ipfw@freebsd.org" Subject: RE: Problem with source based policy routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 13:34:39 -0000 > -----Original Message----- > From: Giuliano Gavazzi [mailto:dev+lists@humph.com] > Sent: 06 July 2009 03:13 PM > To: Kim Attree > Cc: freebsd-ipfw@freebsd.org > Subject: Re: Problem with source based policy routing >=20 >=20 > On M 6 Jul, 2009, at 10:36 , Kim Attree wrote: >=20 > > > > Hey Guys, > > > > > > > > I'm having a problem with source-based policy routing in IPFW, I'm > > trying to run a load-balanced SMTP System over two links. > > > > Primary link is re0, lets give it an ip of 192.168.1.1 > > Secondary link is re1, with an ip of 192.168.2.1 > > > > Default gateway for the box is 192.168.1.254 (so ALL outgoing > > traffic goes out of re0, unless hardcoded into the routing table for > > destinations instead) > > Default gateway for re1 is 192.168.2.254 > > > > I want re1 to be able to accept SMTP, but respond to the originating > > IP over the same link re1 (instead of the default gateway). > > With this in mind, I setup my NAT accordingly: > > > > > > port 8669 > > alias_address 192.168.2.1 > > same_ports yes > > use_sockets yes > > log_ipfw_denied yes > > redirect_port tcp 10.0.0.1:25 192.168.2.1:25 > > > > > > And the IPFW rules such: > > > > > > # NATD Statements > > add 00097 divert 8668 all from any to any via re0 > > add 00097 divert 8669 all from any to any via re1 > > >=20 > why NAT? Unless you also want to spread outgoing traffic from internal > hosts, presumably based on dest port or network, then NAT is of no use > (except the one via re0 that is presumably used for internal hosts). > Incoming packets don't need any rules as the gw 192.168.2.254 knows > how to reach your host, you only need to fwd (that is to route) your > outgoing packets according to the source. I have a similar setup (with > also 2 NATs because I do use both gateways also for natted hosts). I have one Internal Exchange server (don't laugh), and NAT handles the stat= ic mapping of IP/Port to that server. The original point here is to have tw= o mapped NAT port 25's to the same internal Mail server, hence the addition= of the NAT before and during the forward logic (obviously wrong though). =20 > The fwd rule would be very early, just after the loopback rules, > UNLESS you want to block outgoing traffic on some ports: >=20 > add 50 fwd 192.168.2.254 src-ip 192.168.2.1 not dst-ip 192.168.2.1/24 >=20 > That should do it. Because the incoming traffic traverses NAT, this wont work: 192.168.2.254 --> 192.168.2.1(NAT:25) --> 10.0.0.1:25 --> 192.168.2.1(NAT) = --> 192.168.2.254 --> World The forward ends firewall rule processing, meaning the traffic can not carr= y on outbound by my logic. > NOTE: if you also do NAT on that port (re1), then you need this also > after the corresponding nat rule. > But I urge you to distinguish between necessarily natted traffic (that > is traffic coming from internal hosts) and traffic coming from the > host itself, by using an alias on the same subnet (say 192.168.2.2) > for the natted traffic. This way you avoid natting traffic that does > not need it, and can easily distinguish between incoming traffic for > your host (192.168.2.1) and for natted hosts (192.168.2.2). >=20 >=20 > Giuliano Thanks for your assistance, any further help would be greatly appreciated != !! Kim From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 6 16:53:47 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F6311065672 for ; Mon, 6 Jul 2009 16:53:47 +0000 (UTC) (envelope-from dev+lists@humph.com) Received: from drum.humph.com (drum.humph.com [88.149.202.106]) by mx1.freebsd.org (Postfix) with ESMTP id 0F4D18FC13 for ; Mon, 6 Jul 2009 16:53:46 +0000 (UTC) (envelope-from dev+lists@humph.com) Received: from 88-149-183-86.static.ngi.it ([88.149.183.86] helo=b.boox.net) by drum.humph.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1MNrRp-000MfJ-F4; Mon, 06 Jul 2009 18:53:45 +0200 Message-Id: From: Giuliano Gavazzi To: Kim Attree In-Reply-To: <00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v935.3) Date: Mon, 6 Jul 2009 18:53:44 +0200 References: <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> <00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com> X-Mailer: Apple Mail (2.935.3) Cc: "freebsd-ipfw@freebsd.org" Subject: Re: Problem with source based policy routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Jul 2009 16:53:47 -0000 On M 6 Jul, 2009, at 15:35 , Kim Attree wrote: > I have one Internal Exchange server (don't laugh), and NAT handles > the static mapping of IP/Port to that server. The original point > here is to have two mapped NAT port 25's to the same internal Mail > server, hence the addition of the NAT before and during the forward > logic (obviously wrong though). > ah, if you want to have an internal server to be reachable on both public addresses, via the corresponding two firewall interfaces, you must have a way to tell the firewall how to distinguish the return packets in order to use the correct natd instance. If the internal exchange server port is the same, there is no way telling that. At most you could use the peer port, but even that would not be failproof, and I would not know how to proceed (I think dynamic rules can only establish holes - allow action - in the firewall, not a fwd action). So you must use two different ports or alias addresses on the exchange server, and divert to the appropriate outgoing natd instance on the basis of that. I have not enough time at the moment to write down a complete workflow, but I hope this, with the remarks in my previous post, gives you enough hints. Giuliano From owner-freebsd-ipfw@FreeBSD.ORG Tue Jul 7 07:19:52 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 924DD106564A for ; Tue, 7 Jul 2009 07:19:52 +0000 (UTC) (envelope-from kim.attree@playsafesa.com) Received: from exchange.playsafesa.com (exchange.playsafesa.com [196.212.35.153]) by mx1.freebsd.org (Postfix) with ESMTP id A7E7A8FC08 for ; Tue, 7 Jul 2009 07:19:51 +0000 (UTC) (envelope-from kim.attree@playsafesa.com) Received: from server-02.playsafesa.com ([10.0.15.253]) by server-02.playsafesa.com ([10.0.15.253]) with mapi; Tue, 7 Jul 2009 09:20:31 +0200 From: Kim Attree To: Giuliano Gavazzi Date: Tue, 7 Jul 2009 09:20:30 +0200 Thread-Topic: Problem with source based policy routing Thread-Index: Acn+Wm0Pl0An4RoqSXiWdQpkSNu6oQAeNZHQ Message-ID: <00265389C30B444288C246DF37651D0C37698F395A@server-02.playsafesa.com> References: <00265389C30B444288C246DF37651D0C37637A1893@server-02.playsafesa.com> <00265389C30B444288C246DF37651D0C37698F3933@server-02.playsafesa.com> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "freebsd-ipfw@freebsd.org" Subject: RE: Problem with source based policy routing X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jul 2009 07:19:52 -0000 > -----Original Message----- > From: Giuliano Gavazzi [mailto:dev+lists@humph.com] > Sent: 06 July 2009 06:54 PM > To: Kim Attree > Cc: freebsd-ipfw@freebsd.org > Subject: Re: Problem with source based policy routing >=20 >=20 > On M 6 Jul, 2009, at 15:35 , Kim Attree wrote: >=20 > > I have one Internal Exchange server (don't laugh), and NAT handles > > the static mapping of IP/Port to that server. The original point > > here is to have two mapped NAT port 25's to the same internal Mail > > server, hence the addition of the NAT before and during the forward > > logic (obviously wrong though). > > >=20 >=20 > ah, if you want to have an internal server to be reachable on both > public addresses, via the corresponding two firewall interfaces, you > must have a way to tell the firewall how to distinguish the return > packets in order to use the correct natd instance. If the internal > exchange server port is the same, there is no way telling that. At > most you could use the peer port, but even that would not be > failproof, and I would not know how to proceed (I think dynamic rules > can only establish holes - allow action - in the firewall, not a fwd > action). So you must use two different ports or alias addresses on the > exchange server, and divert to the appropriate outgoing natd instance > on the basis of that. >=20 > I have not enough time at the moment to write down a complete > workflow, but I hope this, with the remarks in my previous post, gives > you enough hints. It has, I realised that the return traffic needs differing source IP's - I'= ve added another IP and SMTP Connector to exchange and will test the theory= out today. >=20 > Giuliano Thanks, Kim From owner-freebsd-ipfw@FreeBSD.ORG Wed Jul 8 07:57:19 2009 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E417B1065677 for ; Wed, 8 Jul 2009 07:57:19 +0000 (UTC) (envelope-from beastie24@gmail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.25]) by mx1.freebsd.org (Postfix) with ESMTP id 783AF8FC13 for ; Wed, 8 Jul 2009 07:57:19 +0000 (UTC) (envelope-from beastie24@gmail.com) Received: by ey-out-2122.google.com with SMTP id 9so1395657eyd.3 for ; Wed, 08 Jul 2009 00:57:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type:content-transfer-encoding; bh=PXIVNdeaghZJnCCOj4Lln+rzEi8OGirCwpDh73bQZ8g=; b=tceGW1/FzoV1ukBEd9QPufu0vPdOrvUjVNoKIKQUpIGMLPWEh70MMCpNelFgC0NkEG xbApfpjjuFPv3i6KFnI9BDqcVWR7p4tCsTphHyhku4GL04mBfE3NZuhuHnWDOglxALO3 qvQMPdXSQ4cT85ixfm9dqhLu7/667reC7KobE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; b=KPydXugcuOSPVe5F13X7g5wbt/jpDfVlc7iIajg4FZd1x94ErYmbQwVjwvy9VBmrsI +VRLnXNEPmQTBOTepgR4IFGBffueJqLS9otufzBvVmjrs1HzbeM6ied615sOXnUNf+WU UDMLaRvarh6HdxwAV9Bsyl3IVUXKW+8xcK1K0= MIME-Version: 1.0 Received: by 10.216.73.85 with SMTP id u63mr1821387wed.37.1247038604872; Wed, 08 Jul 2009 00:36:44 -0700 (PDT) Date: Wed, 8 Jul 2009 10:36:44 +0300 Message-ID: <1b1e1dee0907080036n1c854a4aoaca54a74a410029@mail.gmail.com> From: Beastie To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: ipfw nat proxy rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 08 Jul 2009 07:57:20 -0000 Hi list. I would like to put a question about ipfw nat proxy rules. man page say's that there is "proxy_only" rule available. I know that ipfw nat use the same libalias like natd do. man page por natd say that we can use "proxy_rule" to define proxing settings, but I do not see this option in ipfw nat man page. Is proxing is implemented in ipfw nat? How to use it (is "proxy_rule" available)? Thanks.