Re: 1.3.6[012] broke ipfw

Jos Vos (jos@xos.nl)
Fri, 16 Feb 1996 11:08:51 +0100 (MET)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dan Janowski: "Re: Linux-1.3.65"
Previous message: Dan Janowski: "Re: Identifying IDE chipset"

> According to Alex "Achmed" McCubbin:
> > So the question is... For those of us that use IP masquerading, what are
> > the options now for adding masquerading rules to a 1.3.6+ kernel? (please
> > don't just say use 1.2.13... there are MANY wonderful enhancements to the
> > 1.3.xx line...)
>
> The Masquerade Rules are in the Forwarding Table. Just set a appropirate
> forwarding Rule with the "masquerade" policy. (Its missing in the 2.0beta1
> man page I guess).
>
> ./ipfwadm -F- a masq -S 10.0.0.0/24 -D 0/0

Right (if you put the second "-" just before the "a" :-)).
But it is explained in the manual page.

The 2.0beta1 ipfwadm(8) manual pages says:

-a [policy]
Append one or more rules to the end of the selected
list. For the accounting chain, no policy should
be specified. For firewall chains, it is required
to specify one of the following policies: accept,
masquerade (only valid for forwarding rules), deny,
or reject. When the source and/or destination
names resolve to more than one address, a rule will
be added for each possible combination.

And the ipfw(4) manual page explains the policies, like masquerade:

Each of the firewall rules (not the accounting rules) con-
tains a policy, which specifies what action has to be
taken when a packet matches with the rule. There are 4
different policies possible: accept (let the packet pass
the firewall in a normal way), masquerade (let the packet
pass the firewall using masquerading; this policy is only
valid for forwarding rules), reject (do not accept the
packet and send an ICMP host unreachable message back to
the sender as notification), and deny (ignore the packet
without sending any notification). For all 3 types of
firewalls there also exists a default policy, which
applies to all packets for which none of the rules match.

The forwarding rules also define whether or not packets
should be masqueraded when being forwarded. In that case,
the sender address in the IP packets is replaced by the
address of the local host and the source port in the TCP
or UDP header is replaced by a locally generated (tempo-
rary) port number before being forwarded. Because this
administration is kept in the kernel, reverse packets
(sent to the temporary port number on the local host) are
recognized automatically. The destination address and
port number of these packets will be replaced by the orig-
inal address/number that was saved when the first packet
was masqueraded.

-- 
--    Jos Vos <jos@xos.nl>
--    X/OS Experts in Open Systems BV   |   Phone: +31 20 6938364
--    Amsterdam, The Netherlands        |     Fax: +31 20 6948204

Next message: Dan Janowski: "Re: Linux-1.3.65"
Previous message: Dan Janowski: "Re: Identifying IDE chipset"