From owner-freebsd-ipfw@FreeBSD.ORG Sun Jul 11 04:15:24 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B51316A4CF for ; Sun, 11 Jul 2004 04:15:23 +0000 (GMT) Received: from pfepb.post.tele.dk (pfepb.post.tele.dk [195.41.46.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBEBF43D3F for ; Sun, 11 Jul 2004 04:15:22 +0000 (GMT) (envelope-from foppa@mail.dk) Received: from spanden (0x50a156bc.boanxx14.adsl-dhcp.tele.dk [80.161.86.188]) by pfepb.post.tele.dk (Postfix) with SMTP id A8EBC5EE022 for ; Sun, 11 Jul 2004 06:15:21 +0200 (CEST) Message-ID: <002101c466fe$1d8f3f70$6700000a@spanden> From: "Mads Forsberg" To: Date: Sun, 11 Jul 2004 06:18:27 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1409 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: Problem matching packets 'via' IP alias X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Jul 2004 04:15:24 -0000 Hello, I have a problem matching the traffic like I want in the = following setup: /etc/rc.conf: #WAN interface ifconfig_xl0=3D"DHCP" #LAN interface and alias ifconfig_xl1=3D"inet 10.0.0.1 netmask 255.0.0.0" ifconfig_xl1_alias0=3D"inet 10.0.0.2 netmask 255.255.255.255" /etc/rc.firewall: ${fwcmd} add 100 count all from any to any via 10.0.0.1 ${fwcmd} add 200 count all from any to any via 10.0.0.2 ${fwcmd} add 500 divert natd all from any to any via xl0 The clients on the network can choose to either use 10.0.0.1 or the = alias 10.0.0.2 as a default gateway. I need the firewall to divert the traffic going in on 10.0.0.1 to one = natd, and traffic going in on 10.0.0.2 to another natd. I have added rule 100 and 200 to try and match the traffic like I want, = but all traffic matches both rule 100 and 200, regardless of which IP = the clients use as default gateway. Most examples use the via keyword = with an interface name but according to the ipfw manpage using an ip = with the via keyword should be possible.=20 Any help would be greatly appreciated ! From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 12 07:27:25 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE99C16A4CE for ; Mon, 12 Jul 2004 07:27:25 +0000 (GMT) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2377C43D46 for ; Mon, 12 Jul 2004 07:27:25 +0000 (GMT) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1BjvDV-00003L-00; Mon, 12 Jul 2004 09:27:13 +0200 To: "Steve Bertrand" From: Ian FREISLICH In-Reply-To: Message from "Steve Bertrand" <3743.209.167.16.15.1089391473.squirrel@209.167.16.15> Date: Mon, 12 Jul 2004 09:27:13 +0200 Sender: ianf@hetzner.co.za Message-Id: cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW fwd to remote address X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Jul 2004 07:27:26 -0000 "Steve Bertrand" wrote: > I am trying to set up a forward from one machine to another on a remote > network across the Internet. > > I want to receive requests on one box on port 8080 and simply forward them > to a remote machine on the same port. I have tried the following rules, to > no avail. I have IPFIREWALL_FORWARD in my kernel (4.10), and # ipfw show > reports the hits to the rule. > > # ipfw add 1000 fwd 216.209.x.x tcp from any to me 8080 > # ipfw add 1000 fwd 216.209.x.x,8080 tcp from any to me 8080 > # ipfw add 1000 fwd 216.209.x.x tcp from any to me 8080 > # ipfw add 1000 fwd 216.209.x.x,8080 from any to any 8080 > > I can not see the packets going back out of the machine, nor does ipfw log > anything at the other end. # tcpdump at the remote end does not pick up > any traffic. > > Does this have something to do with the fact that I am going across the > Internet, and it is trying to route the packets back to itself (I > understand the dest does not get changed). If so, how could I re-write the > packets so they will get delivered? I would imagine so. From the manual page: fwd | forward ipaddr[,port] Change the next-hop on matching packets to ipaddr, which can be an IP address in dotted quad format or a host name. The search terminates if this rule matches. The next hop must be on your local network, otherwise is isn't really the next hop. The next hop will route the packets forwarded to it by this rule. It sounds like you want to rewrite the destination address in the packets. Have a look at natd(8). It may turn out to be more complicated than you think because the source address from the other side will be wrong for returning packets, so you'll have to rewrite those as well. What are you trying to achieve? Ian -- Ian Freislich From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 16 11:08:44 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9260416A4CE for ; Fri, 16 Jul 2004 11:08:44 +0000 (GMT) Received: from ns.networkersbg.com (ns.networkersbg.com [80.72.80.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3DDAA43D1F for ; Fri, 16 Jul 2004 11:08:41 +0000 (GMT) (envelope-from evgeny@networkersbg.com) Received: from ns.networkersbg.com (localhost.networkersbg.com [127.0.0.1]) by ns.networkersbg.com (8.12.11/8.12.9) with ESMTP id i6F6wEkU016940 for ; Thu, 15 Jul 2004 09:58:15 +0300 (EEST) (envelope-from evgeny@networkersbg.com) From: Evgeny Ivanov Received: (from nobody@localhost) by ns.networkersbg.com (8.12.11/8.12.9/Submit) id i6F6w9jZ016939; Thu, 15 Jul 2004 09:58:09 +0300 (EEST) (envelope-from evgeny@networkersbg.com) Date: Thu, 15 Jul 2004 09:58:09 +0300 (EEST) Message-Id: <200407150658.i6F6w9jZ016939@ns.networkersbg.com> X-Authentication-Warning: ns.networkersbg.com: nobody set sender to evgeny@networkersbg.com using -f To: freebsd-ipfw@freebsd.org Received: from 212.116.151.30 (auth. user evgeny@ns.networkersbg.com) by mail.networkersbg.com with HTTP; Thu, 15 Jul 2004 06:58:09 +0000 X-IlohaMail-Blah: evgeny@networkersbg.com X-IlohaMail-Method: mail() [mem] X-IlohaMail-Dummy: moo X-Mailer: IlohaMail/0.8.12 (On: mail.networkersbg.com) Bounce-To: Errors-To: MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: quoted-printable Subject: IPFW 2 lookup Tables syntax X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jul 2004 11:08:44 -0000 Hi all, At last I've managed to update to 4.10-stable with ipfw2 and tables in it. Can you please tell me what is wrong woth my syntax - I cannot implement a table into a rule. Tanks in advance Some console output =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ns# ipfw table 1 list 212.116.151.30/32 0 ns# ipfw add 50 count all from table(1) to me in Badly placed ()'s. ns# =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Evgeny Ivanov From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 16 11:08:54 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C7FAE16A4CE for ; Fri, 16 Jul 2004 11:08:54 +0000 (GMT) Received: from ns.networkersbg.com (ns.networkersbg.com [80.72.80.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9801C43D1F for ; Fri, 16 Jul 2004 11:08:45 +0000 (GMT) (envelope-from evgeny@networkersbg.com) Received: from ns.networkersbg.com (localhost.networkersbg.com [127.0.0.1]) by ns.networkersbg.com (8.12.11/8.12.9) with ESMTP id i6EFjMtx001897 for ; Wed, 14 Jul 2004 18:45:22 +0300 (EEST) (envelope-from evgeny@networkersbg.com) From: Evgeny Ivanov Received: (from nobody@localhost) by ns.networkersbg.com (8.12.11/8.12.9/Submit) id i6EFjGeV001896; Wed, 14 Jul 2004 18:45:16 +0300 (EEST) (envelope-from evgeny@networkersbg.com) Date: Wed, 14 Jul 2004 18:45:16 +0300 (EEST) Message-Id: <200407141545.i6EFjGeV001896@ns.networkersbg.com> X-Authentication-Warning: ns.networkersbg.com: nobody set sender to evgeny@networkersbg.com using -f To: freebsd-ipfw@freebsd.org Received: from 212.116.151.30 (auth. user evgeny@ns.networkersbg.com) by mail.networkersbg.com with HTTP; Wed, 14 Jul 2004 15:45:16 +0000 X-IlohaMail-Blah: evgeny@networkersbg.com X-IlohaMail-Method: mail() [mem] X-IlohaMail-Dummy: moo X-Mailer: IlohaMail/0.8.12 (On: mail.networkersbg.com) Bounce-To: Errors-To: MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: quoted-printable Subject: IPFW2 tables syntax X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jul 2004 11:08:54 -0000 Can you please tell me what is wrong with my syntax ? ns# ipfw table 1 list 212.116.151.30/32 0 ns# ipfw add 50 count all from table(1) to me in Badly placed ()'s. ns# Regards Evgeny Ivanov From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 16 11:27:22 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B05916A4CE for ; Fri, 16 Jul 2004 11:27:22 +0000 (GMT) Received: from smtp-out3.iol.cz (smtp-out3.iol.cz [194.228.2.91]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B7BD43D1D for ; Fri, 16 Jul 2004 11:27:22 +0000 (GMT) (envelope-from bln@bln.no-ip.org) Received: from pretender.bln.no-ip.org (unknown [83.208.18.168]) 9623C3400A for ; Fri, 16 Jul 2004 13:28:00 +0200 (CEST) From: Ondra Holecek To: freebsd-ipfw@freebsd.org Date: Fri, 16 Jul 2004 13:27:07 +0200 User-Agent: KMail/1.5.4 References: <200407141545.i6EFjGeV001896@ns.networkersbg.com> In-Reply-To: <200407141545.i6EFjGeV001896@ns.networkersbg.com> MIME-Version: 1.0 Content-Disposition: inline Message-Id: <200407161316.40936.bln@bln.no-ip.org> X-UID: 9 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit Subject: Re: IPFW2 tables syntax X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jul 2004 11:27:22 -0000 On Wednesday 14 July 2004 17:45, Evgeny Ivanov wrote: > Can you please tell me what is wrong with my syntax ? > > > ns# ipfw table 1 list > 212.116.151.30/32 0 > ns# ipfw add 50 count all from table(1) to me in > Badly placed ()'s. > ns# > root@pretender# ipfw add 10 count all from table(1) to me in su: syntax error near unexpected token `(' root@pretender# ipfw add 10 count all from 'table(1)' to me in 00010 count ip from table(1) to me in I expect () being parsed by shell (bash, tcsh) instead of ipfw, so try it with ' ' to tell shell to let this argument as is. > > Regards > Evgeny Ivanov > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 16 12:30:19 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F11516A4CE for ; Fri, 16 Jul 2004 12:30:19 +0000 (GMT) Received: from ns.networkersbg.com (ns.networkersbg.com [80.72.80.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id F074543D1D for ; Fri, 16 Jul 2004 12:30:14 +0000 (GMT) (envelope-from evgeny@networkersbg.com) Received: from ns.networkersbg.com (localhost.networkersbg.com [127.0.0.1]) by ns.networkersbg.com (8.12.11/8.12.9) with ESMTP id i6GBLSx0015835; Fri, 16 Jul 2004 14:21:28 +0300 (EEST) (envelope-from evgeny@networkersbg.com) From: Evgeny Ivanov Received: (from nobody@localhost) by ns.networkersbg.com (8.12.11/8.12.9/Submit) id i6GBLIjg015834; Fri, 16 Jul 2004 14:21:18 +0300 (EEST) (envelope-from evgeny@networkersbg.com) Date: Fri, 16 Jul 2004 14:21:18 +0300 (EEST) Message-Id: <200407161121.i6GBLIjg015834@ns.networkersbg.com> X-Authentication-Warning: ns.networkersbg.com: nobody set sender to evgeny@networkersbg.com using -f To: neko@potentia.org Received: from 212.116.151.30 (auth. user evgeny@ns.networkersbg.com) by mail.networkersbg.com with HTTP; Fri, 16 Jul 2004 11:21:18 +0000 X-IlohaMail-Blah: evgeny@networkersbg.com X-IlohaMail-Method: mail() [mem] X-IlohaMail-Dummy: moo X-Mailer: IlohaMail/0.8.12 (On: mail.networkersbg.com) In-Reply-To: Bounce-To: Errors-To: MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: quoted-printable cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW2 tables syntax X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jul 2004 12:30:19 -0000 Thanks a lot - it is working now ;) with 5 lines I did a lof of work :) On 7/16/2004, "Frans Gidl=F6f" wrote: >Your shell interprets the ()'s, escape them with a \ like ipfw add 50 >count all from table\(1\) to me in > >On Jul 14, 2004, at 5:45 PM, Evgeny Ivanov wrote: > >> >> Can you please tell me what is wrong with my syntax ? >> >> >> ns# ipfw table 1 list >> 212.116.151.30/32 0 >> ns# ipfw add 50 count all from table(1) to me in >> Badly placed ()'s. >> ns# >> >> >> Regards >> Evgeny Ivanov >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 16 14:35:39 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C58516A543 for ; Fri, 16 Jul 2004 14:35:39 +0000 (GMT) Received: from ns.networkersbg.com (ns.networkersbg.com [80.72.80.243]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF3D043D48 for ; Fri, 16 Jul 2004 14:35:33 +0000 (GMT) (envelope-from evgeny@networkersbg.com) Received: from ns.networkersbg.com (localhost.networkersbg.com [127.0.0.1]) by ns.networkersbg.com (8.12.11/8.12.9) with ESMTP id i6GEZW3k019908 for ; Fri, 16 Jul 2004 17:35:32 +0300 (EEST) (envelope-from evgeny@networkersbg.com) From: Evgeny Ivanov Received: (from nobody@localhost) by ns.networkersbg.com (8.12.11/8.12.9/Submit) id i6GEZQs1019907; Fri, 16 Jul 2004 17:35:26 +0300 (EEST) (envelope-from evgeny@networkersbg.com) Date: Fri, 16 Jul 2004 17:35:26 +0300 (EEST) Message-Id: <200407161435.i6GEZQs1019907@ns.networkersbg.com> X-Authentication-Warning: ns.networkersbg.com: nobody set sender to evgeny@networkersbg.com using -f To: freebsd-ipfw@freebsd.org Received: from 80.72.79.193 (auth. user evgeny@ns.networkersbg.com) by mail.networkersbg.com with HTTP; Fri, 16 Jul 2004 14:35:26 +0000 X-IlohaMail-Blah: evgeny@networkersbg.com X-IlohaMail-Method: mail() [mem] X-IlohaMail-Dummy: moo X-Mailer: IlohaMail/0.8.12 (On: mail.networkersbg.com) In-Reply-To: Bounce-To: Errors-To: MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: quoted-printable Subject: IPFW2 tables X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 16 Jul 2004 14:35:39 -0000 Working great. Is there any limitations using tables. Let's say if I do something like this: ipfw add all from table(1) to 192.186.0.2 out via fxp1 ipfw add all from any 192.186.0.2 out via fxp1 ipfw add all from table(1) to 192.186.0.3 out via fxp1 ipfw add all from any 192.186.0.4 out via fxp1 and multiply it for about 200 users. Would be there a problem ? Regards Evgeny Ivanov