IPFW/routing wishes

Christian Kratzer ck at cksoft.de
Mon Sep 15 07:45:14 PDT 2003 

Hi,

On Mon, 15 Sep 2003, Martin Bartelds wrote:

> Hi Christian,
>
> Thanks for the reply.
>
> Actually two NATD's do work, but one of these NATD does have a problem.
> The outgoing IP number will not match the default routing adapter.
> If the firewall rules on that default routing adapter are "relaxed" and
> the external route does not block strange packets, it'll work, but
> outgoing packets will go through the default interface.
>
> I did have two NATD's, two divert sockets, two rule sets, etc. and
> everything "worked" except the outgoing packets of the second NATD
> tempting to go throught the wrong adapter.

I used specific routes to distribute traffic over separate internet
connections last time we had such a setup.

Each connection had it's own natd on it's own divert port and it's
own config file. The external ip to which to nat goes in the specific
natd's config file.

Packets going in an out over one interface go into their specific natd
instance and packets over the other interface go into theirs.  No mixup
possible.

> I don't have the config any more, since this was an ongoing trial
> finally being blocked on the issue "wrong source IP address going
> to the wrong network adapter".
[snipp]

looks like you want to decide which interface or nexthop to use
depending on the source address of the packets.

I have not done policy routing on freebsd before but I would give
the ipfw fwd action a deeper look

     fwd | forward ipaddr[,port]
	Change the next-hop on matching packets to ipaddr, which can be
	an IP address in dotted quad format or a host name.  The search
	terminates if this rule matches.

you should be able to implement source routing with this altough
policy routing rulesets usually tend to be rather ugly.

I am also not quite sure if the packets will be injected backinto the
rulesets and go through the divert rules and into their natds after
this.

Greetings
Christian

-- 
CK Software GmbH
Christian Kratzer,         Schwarzwaldstr. 31, 71131 Jettingen
Email: ck at cksoft.de
Phone: +49 7452 889-135    Open Software Solutions, Network Security
Fax:   +49 7452 889-136    FreeBSD spoken here!

More information about the freebsd-ipfw mailing list