[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-ipfw
Subject: Re: IPFW / if_bridge / NAT
From: "Jay L. T. Cornwall" <jay () jcornwall ! me ! uk>
Date: 2008-03-28 21:27:27
Message-ID: 47ED62BF.4070100 () jcornwall ! me ! uk
[Download RAW message or body]
Freddie Cash wrote:
>> This seemed to NAT packets outbound correctly, but the replies were
>> never NAT'd back to the private IPs. I believe the presence of the
>> bridge affects ipfw's ability to divert the appropriate packets. This
>> configuration partly works:
>> divert natd any from 192.168.1.0/24 to any
>> divert natd any from any to <public IP>
> Have you tried restricting your rules to only the vr1 interfaces, with
> <public IP> configured directly on vr1:
>
> divert natd ip from 192.168.1.0/24 to any out xmit vr1
> divert natd ip from any to <public IP> in recv vr1
Ah, there are recv/xmit semantics as well as in/out. I need to read the
man page more thoroughly!
However, this doesn't seem to work. It has the same symptoms as a single
'any to any via vr1' diversion: outbound packets are rewritten correctly
(verified at the destination) but the replies are never rewritten.
00601 3 180 divert 8668 ip from 192.168.1.0/24 to any out xmit vr1
00602 0 0 divert 8668 ip from any to <public ip> in recv vr1
Nothing ever reaches the second rule. I think the bridge changes ipfw
filtering properties, because the simple 'any to any via vr1' is
mentioned a lot in the literature. It just doesn't work here?
--
Jay L. T. Cornwall
http://www.jcornwall.me.uk/
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic