is ipfw "fwd" act same as router ? - BSD

This is a discussion on is ipfw "fwd" act same as router ? - BSD ; Hello i have 2 interface connected to the internet and i m trying to use both for internet access now (thx to henri) i can use either one or the other using a static route. but i have to choose ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: is ipfw "fwd" act same as router ?

  1. is ipfw "fwd" act same as router ?

    Hello

    i have 2 interface connected to the internet and i m trying to use both for
    internet access
    now (thx to henri) i can use either one or the other using a static route.
    but i have to choose manually and input a list of static ip, which is not
    good.

    i have seen on the web a thing like :
    ipfw add prob 0.5 allow ip from any to any out via gateway> fwd

    can this line emulate a random router ? the man said than "fwd"ed packet are
    unmodified.
    is it the case when the packed is routed ?



  2. Re: is ipfw "fwd" act same as router ?


    "patrice" a écrit dans le message de
    news:4600049c$0$25790$426a74cc@news.free.fr...
    > Hello
    >
    > i have 2 interface connected to the internet and i m trying to use both

    for
    > internet access
    > now (thx to henri) i can use either one or the other using a static route.
    > but i have to choose manually and input a list of static ip, which is not
    > good.
    >
    > i have seen on the web a thing like :
    > ipfw add prob 0.5 allow ip from any to any out via > gateway> fwd
    >
    > can this line emulate a random router ? the man said than "fwd"ed packet

    are
    > unmodified.
    > is it the case when the packed is routed ?
    >


    have tried it, but i think it will not work with http session
    so i ve tried that :
    => catch every http going out and change ip src with 192.168.0.101 (natd
    alias)
    ipfw add 2098 divert 3615 tcp from any to any 80 out via tun0
    => catch everything going out from 192.168.0.101 and fwd to the second
    gateway (0.254)
    ipfw add 2099 fwd 192.168.0.254 tcp from 192.168.0.101 to any 80 out via
    tun0

    the packet is well translated and moved to the interface of second gateway
    but it is not functionning




  3. Re: is ipfw "fwd" act same as router ?

    On Tue, 2007-03-20 at 16:58 +0100, patrice wrote:
    > i have 2 interface connected to the internet and i m trying to use both for
    > internet access
    > now (thx to henri) i can use either one or the other using a static route.
    > but i have to choose manually and input a list of static ip, which is not
    > good.
    >
    > i have seen on the web a thing like :
    > ipfw add prob 0.5 allow ip from any to any out via > gateway> fwd
    >
    > can this line emulate a random router ? the man said than "fwd"ed packet are
    > unmodified.
    > is it the case when the packed is routed ?


    Depends. I suppose you're nating to a single address on both interfaces.
    Makes it a bit complex.

    Here's one I did from way back. Firewall is not so sophisticated, but it
    should give you the right idea.


    Client Load Balancing: LSNAT-router using IPFW and NATD on FreeBSD 6.0

    The Internet gateways must reside in different logical networks for this
    configuration to work.


    1. Compile Custom Kernel

    options IPFIREWALL
    options IPFIREWALL_FORWARD
    options IPDIVERT
    options IPFIREWALL_FORWARD_EXTENDED


    2. Configure System (/etc/rc.conf)

    firewall_enable="yes"
    firewall_type="/etc/ipfw.rules"
    ifconfig_ste0="195.16.87.38/29"
    ifconfig_ste0_alias0="192.168.102.62/24"
    ifconfig_fxp0="192.168.10.1/24"
    defaultrouter="192.168.102.1"
    gateway_enable="yes"
    natd_enable="yes"
    natd_flags="-f /etc/natd.conf"


    3. Configure NATD (/etc/natd.conf)

    instance default
    alias_address 192.168.102.62

    instance other
    alias_address 195.16.87.38
    port 8669

    globalport 9000


    4. Configure IPFW (/etc/ipfw.rules)

    -f flush

    add skipto 20000 ip from any to 192.168.102.62 in via ste0
    add skipto 30000 ip from any to 195.16.87.38 in via ste0

    add divert 9000 ip from any to any out via ste0
    add skipto 40000 ip from { 192.168.102.62 or 195.16.87.38 } to any out
    via ste0
    add prob .5 skipto 20000 ip from any to any out via ste0
    add skipto 30000 ip from any to any out via ste0

    add skipto 40000 ip from any to any

    add 20000 divert natd ip from any to any
    add skipto 40000 ip from any to any

    add 30000 divert 8669 ip from any to any
    add skipto 40000 ip from any to any

    add 40000 check-state
    add deny ip from 192.168.10.0/24 to any via ste0
    add allow ip from me to me via lo0 keep-state
    add deny ip from me to any in

    add allow ip from 195.16.87.38 to { me or 195.16.87.32/29 or
    192.168.102.0/24 or 192.168.10.0/24 } keep-state
    add forward 195.16.87.33 ip from 195.16.87.38 to any keep-state
    add allow ip from me to any keep-state
    add deny ip from me to any
    add allow icmp from any to me icmptypes 3,4,8,11 keep-state
    add deny ip from any to me

    add allow ip from 192.168.10.0/24 to any keep-state
    add deny ip from 192.168.10.0/24 to any
    add allow icmp from any to 192.168.10.0/24 icmptypes 3,4,11 keep-state
    add deny ip from any to 192.168.10.0/24


  4. Re: is ipfw "fwd" act same as router ?

    patrice wrote:
    > "patrice" a écrit dans le message de
    > news:4600049c$0$25790$426a74cc@news.free.fr...
    >> Hello
    >>
    >> i have 2 interface connected to the internet and i m trying to use both

    > for
    >> internet access
    >> now (thx to henri) i can use either one or the other using a static route.
    >> but i have to choose manually and input a list of static ip, which is not
    >> good.
    >>
    >> i have seen on the web a thing like :
    >> ipfw add prob 0.5 allow ip from any to any out via >> gateway> fwd
    >>
    >> can this line emulate a random router ? the man said than "fwd"ed packet

    > are
    >> unmodified.
    >> is it the case when the packed is routed ?
    >>

    >
    > have tried it, but i think it will not work with http session
    > so i ve tried that :
    > => catch every http going out and change ip src with 192.168.0.101 (natd
    > alias)
    > ipfw add 2098 divert 3615 tcp from any to any 80 out via tun0


    I have a doubt, does natd tag its table enties with the interface ?
    in this case, the output packet is tagged with tun0 and the
    corresponding response is tagged with bge0; the reverse translation is
    not done.

    To have more insight I would run natd with the -v option (the one
    listenning on 3615).

    Henri
    > => catch everything going out from 192.168.0.101 and fwd to the second
    > gateway (0.254)
    > ipfw add 2099 fwd 192.168.0.254 tcp from 192.168.0.101 to any 80 out via
    > tun0
    >
    > the packet is well translated and moved to the interface of second gateway
    > but it is not functionning
    >
    >
    >


  5. Re: is ipfw "fwd" act same as router ?

    "Henri Hennebert" a écrit dans le message de
    news:etr432$p07$1@morzine.restart.bel...
    > I have a doubt, does natd tag its table enties with the interface ?
    > in this case, the output packet is tagged with tun0 and the
    > corresponding response is tagged with bge0; the reverse translation is
    > not done.
    >
    > To have more insight I would run natd with the -v option (the one
    > listenning on 3615).
    >


    Here is the trace (look like chinese for me)
    10.10.21.1 is the one who tried to http://194.167.78.73:8080
    with rules:
    ivert 3615 log tcp from any to any dst-port 8080 out via tun0
    02099 fwd 192.168.0.254 log tcp from 192.168.0.101 to any via tun0

    Out {default} 00000000[TCP] [TCP] 10.10.21.1:3242 -> 194.167.78.73:8080
    aliased
    to
    [TCP] 192.168.0.101:3242 -> 194.167.78.73:8080
    Out {default} 0000ffff[TCP] [TCP] 10.10.21.1:3242 -> 194.167.78.73:8080
    aliased
    to
    [TCP] 192.168.0.101:3242 -> 194.167.78.73:8080
    Out {default} 0000ffff[TCP] [TCP] 10.10.21.1:3242 -> 194.167.78.73:8080
    aliased
    to
    [TCP] 192.168.0.101:3242 -> 194.167.78.73:8080

    Hope you can understand something.



  6. Re: is ipfw "fwd" act same as router ?

    "Henri Hennebert" a écrit dans le message de
    news:etr432$p07$1@morzine.restart.bel...
    > I have a doubt, does natd tag its table enties with the interface ?
    > in this case, the output packet is tagged with tun0 and the
    > corresponding response is tagged with bge0; the reverse translation is
    > not done.
    >


    henri you're the king
    you point me in the good direction, i need to catch the packet on the same
    interface:

    as outgoing traffic came in throught the switch (same interface than the
    internet modem)
    i ve tried to catch the packet before they arrive on tun0

    02098 divert 3615 log tcp from any to not me dst-port 8080 in via bge0
    02099 fwd 192.168.0.254 log tcp from 192.168.0.101 to any dst-port 8080

    and it run )

    thank you...




  7. Re: is ipfw "fwd" act same as router ?

    "patrice" a écrit dans le message de
    news:46016fce$0$10412$426a74cc@news.free.fr...
    > "Henri Hennebert" a écrit dans le message de
    > news:etr432$p07$1@morzine.restart.bel...
    > > I have a doubt, does natd tag its table enties with the interface ?
    > > in this case, the output packet is tagged with tun0 and the
    > > corresponding response is tagged with bge0; the reverse translation is
    > > not done.
    > >

    >
    > henri you're the king
    > you point me in the good direction, i need to catch the packet on the same
    > interface:
    >
    > as outgoing traffic came in throught the switch (same interface than the
    > internet modem)
    > i ve tried to catch the packet before they arrive on tun0
    >
    > 02098 divert 3615 log tcp from any to not me dst-port 8080 in via bge0
    > 02099 fwd 192.168.0.254 log tcp from 192.168.0.101 to any dst-port 8080
    >
    > and it run )
    >


    not it doesnot (
    i thought i was working because web was ok, but it was because packet are
    not trapped, and go throught the tun0

    continuing to search ....



  8. Re: is ipfw "fwd" act same as router ?

    patrice wrote:
    > "Henri Hennebert" a écrit dans le message de
    > news:etr432$p07$1@morzine.restart.bel...
    >> I have a doubt, does natd tag its table enties with the interface ?
    >> in this case, the output packet is tagged with tun0 and the
    >> corresponding response is tagged with bge0; the reverse translation is
    >> not done.
    >>
    >> To have more insight I would run natd with the -v option (the one
    >> listenning on 3615).
    >>

    >
    > Here is the trace (look like chinese for me)
    > 10.10.21.1 is the one who tried to http://194.167.78.73:8080
    > with rules:
    > ivert 3615 log tcp from any to any dst-port 8080 out via tun0
    > 02099 fwd 192.168.0.254 log tcp from 192.168.0.101 to any via tun0
    >
    > Out {default} 00000000[TCP] [TCP] 10.10.21.1:3242 -> 194.167.78.73:8080
    > aliased
    > to
    > [TCP] 192.168.0.101:3242 -> 194.167.78.73:8080
    > Out {default} 0000ffff[TCP] [TCP] 10.10.21.1:3242 -> 194.167.78.73:8080
    > aliased
    > to
    > [TCP] 192.168.0.101:3242 -> 194.167.78.73:8080
    > Out {default} 0000ffff[TCP] [TCP] 10.10.21.1:3242 -> 194.167.78.73:8080
    > aliased
    > to
    > [TCP] 192.168.0.101:3242 -> 194.167.78.73:8080
    >
    > Hope you can understand something.
    >
    >

    This trace don't show any input packet, are you sure that a ipfw rule
    divert the response packets ?

    I think we should see something like:

    In {default} 0000ffff[TCP] 194.167.78.73:8080 -> 192.168.0.101:3242
    aliased to 194.167.78.73:8080 -> 10.10.21.1:3242


    Can you post all your ipfw rules ?

    Henri

+ Reply to Thread