Date: Sat, 28 Dec 2002 14:12:20 -0600 From: "Jack L. Stone" <jackstone@sage-one.net> To: Matthew Seaman <m.seaman@infracaninophile.co.uk>, freebsd-questions@FreeBSD.ORG Subject: Re: Firewall Forwarding Syntax Message-ID: <3.0.5.32.20021228141220.0125d188@mail.sage-one.net> In-Reply-To: <20021228185554.GA47131@happy-idiot-talk.infracaninophi> References: <3.0.5.32.20021228110912.012ed640@mail.sage-one.net> <3.0.5.32.20021228110912.012ed640@mail.sage-one.net>
next in thread | previous in thread | raw e-mail | index | archive | help
At 06:55 PM 12.28.2002 +0000, Matthew Seaman wrote: >On Sat, Dec 28, 2002 at 11:09:12AM -0600, Jack L. Stone wrote: >> I've looked for a good set of working examples of packeting forwarding >> using ipfw, but no luck yet. I'm wondering if the following rule would work >> for sending packets received on the gateway to a machine on the internal >> network (LAN)...??? >> >> # ipfw add fwd tcp from 65.xxx.zzz.yyy to 192.168.0.5 <port#> > >Err... you need an IP number and possibly a port number after the >'fwd', which is what the 'next hop' address is set to for packets that >match the rest of the line: > > ipfw add fwd 123.45.67.89 tcp from 65.xxx.zzz.yyy to 192.168.0.5 port > >Note that the packet itself isn't rewritten at all, so you will have >to put in place something on the destination machine to accept >packets destined the original address. > > Cheers, > > Matthew > I want the packets to remain intact, but delivered correctly. I'm not even sure if this is the right direction to take to solve the problem. Perhaps an explanation of the delimma: I have a FBSD gateway (with NAT & caching DNS) on a server and the public interface identifies incoming packets and routes them to the proper machine using IP aliases in the interface -- fairly typical I suppose as per example as follows, with rl0 as the internal and rl1 as external interfaces: ifconfig_rl0="inet 192.168.0.1 netmask 0xffffff00" ifconfig_rl1="inet 123.45.678.001 netmask 255.255.255.248" ifconfig_rl1_alias0="inet 123.45.678.002 netmask 255.255.255.255" ifconfig_rl1_alias1="inet 123.45.678.003 netmask 255.255.255.255" etc, etc..... Then, I use NAT to do redirect from above external IPs to machines on private network. -redirect_address 192.168.0.7 123.45.678.002 -redirect_address 192.168.0.5 123.45.678.003 etc, etc..... PROBLEM: Any emails sent (via Sendmail) out of machine 192.168.0.5 leaves and goes to the gateway, resolves itself as 123.45.678.003 just fine and goes OUT for delivery. BUT, the gateway machine (or any other machine on the private network) cannot find its way to that machine fro deliver of emails. Any mails coming from the outside enteres the gateway and is sent to the machine 123.45.678.003/192.168.0.5 just fine... just not from within the LAN.... they must know also know the 192.168.0.5 IP to get there. The above -redirects does not do it for INTERNAL emails. This is only a problem where copies of emails sent OUT contain copies to go BACK to internal machines -- such as majordomo mail lists. To try to make it simpler, any mails that leave an internal machine must go to the default gateway, 192.168.0.1 and then gets confused and cannot find its way back to that same machine to deliver copies of emails. This has GOT to have a simple solution and typical problem..... then I thought of using the forwarding. Ouch, hurts my head just trying to explain it. Sorry for the length of this..... Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net jackstone@sage-one.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.5.32.20021228141220.0125d188>