# IPFW + NATD, ip-packets processing order



## Serge1978 (Jul 15, 2013)

Hello!

Could anyone please direct me to any article, or tell keywords I can google myself about in which orders the IP packets are being processed? The task is: to forward HTTP and HTTPS traffic from the LAN to Squid.

Topology:

```
[LAN PC]--------[em1___SERVER___em0]---------[default_router]
192.168.2.3   192.168.2.1    192.168.1.198     192.168.1.1
```

Custom kernel's options:

```
include		GENERIC
ident		MYKERNEL1
options		IPFIREWALL
options		IPFIREWALL_VERBOSE
options		IPFIREWALL_FORWARD
options		IPFIREWALL_VERBOSE_LIMIT=5
options		IPFIREWALL_DEFAULT_TO_ACCEPT
options		IPDIVERT
```

/etc/rc.conf(cut):

```
gateway_enable="YES"
firewall_enable="YES"
firewall_type="/etc/ipfw.conf"
dummynet_enable="YES"
natd_enable="YES"
natd_interface="em0"
natd_flags=""
squid_enable="YES"
```

`#ipfw list`:

```
00001 allow ip from me to any
00050 devert 8668 ip from any to any via em0
00089 allow icmp from any to any
65535 deny ip from any to any
```

/etc/sysctl.conf:

```
net.ient.ip.fw.one_pass=0
net.inet.ip.fastforwarding=1
```

What I need to do is to add an '`ipfw fwd`' rule, but it seems I have some troubles realizing where exactly to put it in the /etc/ipfw.conf file, and the format of this rule. As I get it, the rule must be something like this:

`ipfw add #### fwd A.B.C.D,port1 tcp from K.L.M.N/24 to any port2 [in|out] via [em1|em0]`

Squid's settings are common: `http_port 3128 intercept`.

Should I put the `ipfw fwd` rule before the `divert natd` rule or after it? A.B.C.D,port1 should be 127.0.0.1,3128 or something else? K.L.M.N,port2 should be LAN's network address (192.168.2.0/24) and 80, respectively? What should be the interfaces and direction, in or out? The packets from the LAN, they first being NAT'ed, then forwarded to Squid or opposite, and how can I figure this out?

I've been reading and experimenting a whole past week without any acceptable results, none seems to work.

Thanks in advance.


----------

