PAGE2GO2 HOME | INTERNET NEWS

LeighExchange - Free Advertising Network Stock Research at Internet Speed

Re: is ipfw "fwd" act same as router ?

 List
Subject: Re: is ipfw "fwd" act same as router ?
Poster: Dominvalid@invalid.invalid
Date: Tue, 20 Mar 2007 23:01:09 -0500
Related Postings: 1 2 3 4 5 6 7
On Tue, 2007-03-20 at 16:58 +0100, patrice wrote:
> i have 2 interface connected to the internet and i m trying to use both for
> internet access
> now (thx to henri) i can use either one or the other using a static route.
> but i have to choose manually and input a list of static ip, which is not
> good.
>
> i have seen on the web a thing like :
> ipfw add prob 0.5 allow ip from any to any out via
> gateway> fwd
>
> can this line emulate a random router ? the man said than "fwd"ed packet are
> unmodified.
> is it the case when the packed is routed ?

Depends. I suppose you're nating to a single address on both interfaces. Makes it a bit complex.

Here's one I did from way back. Firewall is not so sophisticated, but it should give you the right idea.

Client Load Balancing: LSNAT-router using IPFW and NATD on FreeBSD 6.0

The Internet gateways must reside in different logical networks for this configuration to work.

1. Compile Custom Kernel

options IPFIREWALL options IPFIREWALL_FORWARD options IPDIVERT options IPFIREWALL_FORWARD_EXTENDED

2. Configure System (/etc/rc.conf)

firewall_enable="yes" firewall_type="/etc/ipfw.rules" ifconfig_ste0="195.16.87.38/29" ifconfig_ste0_alias0="192.168.102.62/24" ifconfig_fxp0="192.168.10.1/24" defaultrouter="192.168.102.1" gateway_enable="yes" natd_enable="yes" natd_flags="-f /etc/natd.conf"

3. Configure NATD (/etc/natd.conf)

instance default alias_address 192.168.102.62

instance other alias_address 195.16.87.38 port 8669

globalport 9000

4. Configure IPFW (/etc/ipfw.rules)

-f flush

add skipto 20000 ip from any to 192.168.102.62 in via ste0 add skipto 30000 ip from any to 195.16.87.38 in via ste0

add divert 9000 ip from any to any out via ste0 add skipto 40000 ip from { 192.168.102.62 or 195.16.87.38 } to any out via ste0 add prob .5 skipto 20000 ip from any to any out via ste0 add skipto 30000 ip from any to any out via ste0

add skipto 40000 ip from any to any

add 20000 divert natd ip from any to any add skipto 40000 ip from any to any

add 30000 divert 8669 ip from any to any add skipto 40000 ip from any to any

add 40000 check-state add deny ip from 192.168.10.0/24 to any via ste0 add allow ip from me to me via lo0 keep-state add deny ip from me to any in

add allow ip from 195.16.87.38 to { me or 195.16.87.32/29 or 192.168.102.0/24 or 192.168.10.0/24 } keep-state add forward 195.16.87.33 ip from 195.16.87.38 to any keep-state add allow ip from me to any keep-state add deny ip from me to any add allow icmp from any to me icmptypes 3,4,8,11 keep-state add deny ip from any to me

add allow ip from 192.168.10.0/24 to any keep-state add deny ip from 192.168.10.0/24 to any add allow icmp from any to 192.168.10.0/24 icmptypes 3,4,11 keep-state add deny ip from any to 192.168.10.0/24

 

Page2Go2.com is not responsible for content of this message.