Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 03 Aug 2004 12:40:11 -0400
From:      Chuck Swiger <cswiger@mac.com>
To:        "Hakim Z. Singhji" <hakim.singhji@earthlink.net>
Cc:        questions@freebsd.org
Subject:   Re: Questions on IPFW???
Message-ID:  <410FBFEB.3060508@mac.com>
In-Reply-To: <11420531.1091550155733.JavaMail.root@waldorf.psp.pas.earthlink.net>
References:  <11420531.1091550155733.JavaMail.root@waldorf.psp.pas.earthlink.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hakim Z. Singhji wrote:
> Question, when NAT overloading is it possible to use only IPFW rules to
> pass TCP/UDP packects to remote ip addresses within the network?

I don't know what "NAT overloading" means.

It is possible to use only IPFW rules to pass TCP & UDP packets from one 
interface to another using the fwd action.  However, note that:

           The fwd action does not change the contents of the packet at all.
           In particular, the destination address remains unmodified, so
           packets forwarded to another system will usually be rejected by
           that system unless there is a matching rule on that system to
           capture them.  For packets forwarded locally, the local address
           of the socket will be set to the original destination address of
           the packet.  This makes the netstat(1) entry look rather weird
           but is intended for use with transparent proxy servers.

> Or do you have to use natd...because IPFW allows you to execute
> the following for example:
> ****************************************************
> ip from 192.168.99.100 80 to 192.168.99.101 9981
> ****************************************************

That's the body of an IPFW rule which matches packets with those attributes. 
Without an action ("allow", "deny", "fwd"), what you've written isn't a 
complete rule: it doesn't mean anything by itself.

> or even in conjunction with a dummynet rule of somesort?

Um.  Do you understand the question you are asking?

I don't-- perhaps try using a complete sentence.  Better yet, why don't you 
tell us what your network looks like and what you want to do.  You most likely 
will receive answers which are more specific and more useful to you...

-- 
-Chuck

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?410FBFEB.3060508>