Date: Sat, 30 Jul 2005 22:47:58 -0300 From: "Giovanni P. Tirloni" <gpt@tirloni.org> To: Abu Khaled <khaled.abu@gmail.com> Cc: pf@freebsd.org Subject: Re: rdr not working for transparent http - 5.4-stable Message-ID: <42EC2DCE.4090009@tirloni.org> In-Reply-To: <a64c109e050730155021f6551d@mail.gmail.com> References: <42E8D3D5.4030300@tirloni.org> <200507281458.56534.max@love2party.net> <42E8DBC6.6060907@tirloni.org> <42EB7A2A.3080701@tirloni.org> <a64c109e050730155021f6551d@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Abu Khaled wrote: > On 7/30/05, Giovanni P. Tirloni <gpt@tirloni.org> wrote: > >>Giovanni P. Tirloni wrote: >> >>>Max Laier wrote: >>> >>> >>>>One thing comes to my mind: What does >>>> $sysctl net.inet.ip.forwarding >>>>say? >>> >>> >>># sysctl net.inet.ip.forwarding >>>net.inet.ip.forwarding: 1 >>> >>>I had some tweaks in /etc/sysctl but disabling them didn't help either. >>> >>>#net.inet.ip.check_interface=1 >>>#net.inet.tcp.blackhole=2 >>>#net.inet.udp.blackhole=1 >>> >> >> I forgot to mention this box had ipfw+dummnyet (with two queues) >>activated. I disabled ipfw in the kernel and pf rdr worked again! Just >>removing the ipfw rules didn't work. >> >> Weird enough, I don't have dummynet on the other 2 machines that have >>the same problem. But ipfw is compiled in but disabled. >> >> I'll try to disable ipfw on the other boxes and see what happens there >>to confirm this. > > > If ipfw is compiled in the kernel and it defaults to deny all, then > you need to add rules for ipfw to allow connections to and from > localhost (127.0.0.1 and port 3128). Otherwise ipfw well drop 'pf rdr > traffic'. > > # ipfw add allow tcp from $lan_net to 127.0.0.1 3128 > # ipfw add allow tcp from 127.0.0.1 3128 to $lan_net > > Put the rules before any anti spoofing rules in ipfw. > I think there's something in the code that makes it not work because I set ipfw to accept by default on every machine I have. There must be something else. -- Giovanni P. Tirloni / gpt@tirloni.org / PGP: 0xD0315C26
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?42EC2DCE.4090009>