ipfw2(stateful)+divert; why divert rule is ignored?
Vladimir Grigor
xvga at mail.ru
Tue Mar 14 03:06:46 UTC 2006
Thanks to all, now the problem is solved.
Tuesday, March 14, 2006, 1:50:44 AM, Dennis wrote:
>> Regular NAT is working properly, but I can't configure NAPT to
>> services on server in LAN....
DO> You mean port forwarding?
Yep
>> 03800 0 0 divert 6893 log logamount 100 tcp from
>> 192.168.0.1 80 to any out via tun0
DO> Possibly traffic has already been translated at this point?
Trick is that I used 'count' rule to identify corresponding traffic.
I've replaced that 'divert' rule with 'count' rule - nothing no traffic on that rule. Then
just to try I've put 'count' rule 10 rules before not-working divert rule, and
surprisingly 'count' rule found traffic! I need to say those 10 rules are indifferent to corresponding traffic.
So I just moved divert rules to earlier place in ruleset and it works.
This weird behavior of ipfw seems to me like ... weird at least :)
>> 04700 25 1554 divert 6893 log logamount 100 tcp from any to
>> 212.42.xxx.xxx dst-port 80 in via tun0
DO> Why multiple diverts?
Because I have several services in LAN to offer www users
>> 05000 150 6816 allow log logamount 100 tcp from any to 192.168.0.1
>> dst-port 80 in via tun0 setup keep-state
DO> I believe you'll find setup keep-state incompatible with natd.
surprisingly - it works!
--
Best regards,
Vladimir mailto:xvga at mail.ru
More information about the freebsd-ipfw
mailing list