From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 20 11:06:53 2008 Return-Path: Delivered-To: freebsd-ipfw@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7E6C410656A6 for ; Mon, 20 Oct 2008 11:06:53 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6BF658FC2A for ; Mon, 20 Oct 2008 11:06:53 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id m9KB6rix082695 for ; Mon, 20 Oct 2008 11:06:53 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id m9KB6qgd082691 for freebsd-ipfw@FreeBSD.org; Mon, 20 Oct 2008 11:06:52 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 20 Oct 2008 11:06:52 GMT Message-Id: <200810201106.m9KB6qgd082691@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2008 11:06:53 -0000 Note: to view an individual PR, use: http://www.freebsd.org/cgi/query-pr.cgi?pr=(number). The following is a listing of current problems submitted by FreeBSD users. These represent problem reports covering all versions including experimental development code and obsolete releases. S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/127230 ipfw [ipfw] [patch] Feature request to add UID and/or GID l o kern/127209 ipfw [ipfw] IPFW table become corrupted after many changes o bin/125370 ipfw [ipfw] [patch] increase a line buffer limit o conf/123119 ipfw [patch] rc script for ipfw does not handle IPv6 o kern/122963 ipfw [ipfw] tcpdump does not show packets redirected by 'ip s kern/121807 ipfw [request] TCP and UDP port_table in ipfw o kern/121382 ipfw [dummynet]: 6.3-RELEASE-p1 page fault in dummynet (cor o kern/121122 ipfw [ipfw] [patch] add support to ToS IP PRECEDENCE fields o kern/118993 ipfw [ipfw] page fault - probably it's a locking problem o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form o docs/113803 ipfw [patch] ipfw(8) - don't get bitten by the fwd rule p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o kern/112708 ipfw [ipfw] ipfw is seems to be broken to limit number of c o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o kern/103454 ipfw [ipfw] [patch] [request] add a facility to modify DF b o kern/103328 ipfw [ipfw] [request] sugestions about ipfw table o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/95084 ipfw [ipfw] [regression] [patch] IPFW2 ignores "recv/xmit/v o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/82724 ipfw [ipfw] [patch] [request] Add setnexthop and defaultrou s kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o bin/78785 ipfw [patch] ipfw(8) verbosity locks machine if /etc/rc.fir o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o kern/46159 ipfw [ipfw] [patch] [request] ipfw dynamic rules lifetime f a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau 47 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 20 21:41:42 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C305F106567F for ; Mon, 20 Oct 2008 21:41:42 +0000 (UTC) (envelope-from leander.schaefer@gmx.net) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.freebsd.org (Postfix) with SMTP id 058CB8FC1F for ; Mon, 20 Oct 2008 21:41:41 +0000 (UTC) (envelope-from leander.schaefer@gmx.net) Received: (qmail invoked by alias); 20 Oct 2008 21:14:59 -0000 Received: from p5B12E304.dip.t-dialin.net (EHLO MacBook-Pro.local) [91.18.227.4] by mail.gmx.net (mp053) with SMTP; 20 Oct 2008 23:14:59 +0200 X-Authenticated: #23985221 X-Provags-ID: V01U2FsdGVkX1+vpOlHDjWvED7KvsSM8W0TYH0Jo9hawnUSx8lu5m 27RrCfW/GxAbaC Message-ID: <48FCF4D2.4080103@gmx.net> Date: Mon, 20 Oct 2008 23:14:58 +0200 From: "Leander S." Organization: Privat User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: multipart/mixed; boundary="------------020503040305000300030801" X-Y-GMX-Trusted: 0 X-FuHaFi: 0.5600000000000001 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPFW + Portforwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2008 21:41:43 -0000 This is a multi-part message in MIME format. --------------020503040305000300030801 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Hi, I'm trying to set up something like a HotSpot. Goal is it to force unregistred users to get redirected to the Captive Portalsite where they'll be able to agree my licence therms and get some information ... etc. ... So fact is I need an IPFW rule which forwards Port 80,443,8080 Traffic to another Port i.e. 8080 --> where my Apache will already wait for serving the Captive Portalsite back to the request. So I did read the man and saw something like the fwd rule and the Kernel Option for it - so I added the option - rcompiled the Kernel and gave my Firewall the following fwd rule in an extra script: ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any 80,443,8080 in via ${LAN_if} ^^ But it's sadly not working .... so here is my whole Firewallscript. Btw. my IPFW is compiled as default deny into the Kernel. The Script: ____________________________________________________________________________ #!/bin/sh if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi ############################# #### Globale Variablen: ##### ############################# WAN_if="msk0" WAN_IP="10.1.10.50" WAN_net="255.0.0.0" WAN="10.0.0.0/8" LAN_if="ath0" LAN_IP="192.1.1.1" LAN_net="255.255.255.0" LAN="192.1.1.0/24" fwcmd="/sbin/ipfw -q" ############################# ########## Start: ########### ############################# ### Firewall Reset ### ${fwcmd} -f flush ### Localhost ### ${fwcmd} add 00100 allow all from any to any via lo0 ${fwcmd} add 00200 deny all from any to 127.0.0.0/8 ${fwcmd} add 00300 deny all from 127.0.0.0/8 to any ### WAN Konfiguration ### ${fwcmd} add 00400 allow all from any to any via ${WAN_if} ${fwcmd} add 00500 divert natd all from any to any in via ${WAN_if} ${fwcmd} add 00600 divert natd all from any to any out via ${WAN_if} ### LAN Konfiguration ### ### Ping ${fwcmd} add 00700 allow icmp from ${LAN} to ${LAN} icmptypes 0,8 ### Portfreigabe ${fwcmd} add 00800 allow tcp from any to ${LAN_IP} 22 in via ${LAN_if} ${fwcmd} add 00900 allow tcp from any to ${LAN_IP} 1723 in via ${LAN_if} ${fwcmd} add 01000 allow tcp from any to ${LAN_IP} 8080 in via ${LAN_if} ### PortalSite - Forwarding: ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any 80,8080,443 in via ${LAN_if} ### Package Detour ${fwcmd} add 01200 allow all from any to any out via ${LAN_if} ____________________________________________________________________________ Every positiv type of help will be very appreciated !!! Thanks, Leander P.S. Additionally: This is my first firewallscript - so if this seems to be to ugly for you - feel free to give me some NewBee tips and tricks! ;) THX --------------020503040305000300030801 Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0"; name="rc.firewall_extension" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="rc.firewall_extension" #!/bin/sh if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi ############################# #### Globale Variablen: ##### ############################# WAN_if="msk0" WAN_IP="10.1.10.50" WAN_net="255.0.0.0" WAN="10.0.0.0/8" LAN_if="ath0" LAN_IP="192.1.1.1" LAN_net="255.255.255.0" LAN="192.1.1.0/24" fwcmd="/sbin/ipfw -q" ############################# ########## Start: ########### ############################# ### Firewall Reset ### ${fwcmd} -f flush ### Localhost ### ${fwcmd} add 00100 allow all from any to any via lo0 ${fwcmd} add 00200 deny all from any to 127.0.0.0/8 ${fwcmd} add 00300 deny all from 127.0.0.0/8 to any ### WAN Konfiguration ### ${fwcmd} add 00400 allow all from any to any via ${WAN_if} ${fwcmd} add 00500 divert natd all from any to any in via ${WAN_if} ${fwcmd} add 00600 divert natd all from any to any out via ${WAN_if} ### LAN Konfiguration ### ### Ping ${fwcmd} add 00700 allow icmp from ${LAN} to ${LAN} icmptypes 0,8 ### Portfreigabe ${fwcmd} add 00800 allow tcp from any to ${LAN_IP} 22 in via ${LAN_if} ${fwcmd} add 00900 allow tcp from any to ${LAN_IP} 1723 in via ${LAN_if} ${fwcmd} add 01000 allow tcp from any to ${LAN_IP} 8080 in via ${LAN_if} ### PortalSite - Forwarding: ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any 80,8080,443 in via ${LAN_if} ### Package Detour ${fwcmd} add 01200 allow all from any to any out via ${LAN_if} --------------020503040305000300030801-- From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 20 21:43:16 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id ECCD91065671 for ; Mon, 20 Oct 2008 21:43:16 +0000 (UTC) (envelope-from leander.schaefer@googlemail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.157]) by mx1.freebsd.org (Postfix) with ESMTP id EEFBD8FC12 for ; Mon, 20 Oct 2008 21:43:14 +0000 (UTC) (envelope-from leander.schaefer@googlemail.com) Received: by fg-out-1718.google.com with SMTP id l26so1459552fgb.35 for ; Mon, 20 Oct 2008 14:39:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=ekRoGlRLPFti44DiiByZ45oSsk402gGCuPvN7YipliE=; b=LTylZQGkO93jP8r+U/WaTw6LZDwTea1Xlo23n0idD/TG8aXTP65YTvpz0LK2zzfwYe iAdbdQvwafMH+X3+MwzHcf96h4+RK62hE63nLD7GXLarefytucTlkULd17+T4Bh+Xp9d hLSs9b1Aj3KuQmSRZOwwqgMwoqnG9hZXoVHAs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; b=bYGvey5Cmp5/FgxjHR5AUZH+N6634QwmipAjBrhxbebgE+w5+QJHN2ofLb1G3+PpNa b52rDSuK7HCo9oMzOuNh406qxhsH7B/0kUkE7HPkBJff6RExDyXEowOYbC5svRPSe5ai OHim7mhvdqBxJgKwKzXxQ8oW2dBJw0VDwVJVs= Received: by 10.86.62.3 with SMTP id k3mr129397fga.1.1224537565594; Mon, 20 Oct 2008 14:19:25 -0700 (PDT) Received: from MacBook-Pro.local (p5B12E304.dip.t-dialin.net [91.18.227.4]) by mx.google.com with ESMTPS id 4sm12446827fgg.4.2008.10.20.14.19.23 (version=SSLv3 cipher=RC4-MD5); Mon, 20 Oct 2008 14:19:24 -0700 (PDT) Message-ID: <48FCF5DA.5060802@googlemail.com> Date: Mon, 20 Oct 2008 23:19:22 +0200 From: "Leander S." Organization: Privat User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: IPFW + Portforwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2008 21:43:17 -0000 Hi, I'm trying to set up something like a HotSpot. Goal is it to force unregistred users to get redirected to the Captive Portalsite where they'll be able to agree my licence therms and get some information ... etc. ... So fact is I need an IPFW rule which forwards Port 80,443,8080 Traffic to another Port i.e. 8080 --> where my Apache will already wait for serving the Captive Portalsite back to the request. So I did read the man and saw something like the fwd rule and the Kernel Option for it - so I added the option - rcompiled the Kernel and gave my Firewall the following fwd rule in an extra script: ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any 80,443,8080 in via ${LAN_if} ^^ But it's sadly not working .... so here is my whole Firewallscript. Btw. my IPFW is compiled as default deny into the Kernel. The Script: ____________________________________________________________________________ #!/bin/sh if [ -z "${source_rc_confs_defined}" ]; then if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi fi ############################# #### Globale Variablen: ##### ############################# WAN_if="msk0" WAN_IP="10.1.10.50" WAN_net="255.0.0.0" WAN="10.0.0.0/8" LAN_if="ath0" LAN_IP="192.1.1.1" LAN_net="255.255.255.0" LAN="192.1.1.0/24" fwcmd="/sbin/ipfw -q" ############################# ########## Start: ########### ############################# ### Firewall Reset ### ${fwcmd} -f flush ### Localhost ### ${fwcmd} add 00100 allow all from any to any via lo0 ${fwcmd} add 00200 deny all from any to 127.0.0.0/8 ${fwcmd} add 00300 deny all from 127.0.0.0/8 to any ### WAN Konfiguration ### ${fwcmd} add 00400 allow all from any to any via ${WAN_if} ${fwcmd} add 00500 divert natd all from any to any in via ${WAN_if} ${fwcmd} add 00600 divert natd all from any to any out via ${WAN_if} ### LAN Konfiguration ### ### Ping ${fwcmd} add 00700 allow icmp from ${LAN} to ${LAN} icmptypes 0,8 ### Portfreigabe ${fwcmd} add 00800 allow tcp from any to ${LAN_IP} 22 in via ${LAN_if} ${fwcmd} add 00900 allow tcp from any to ${LAN_IP} 1723 in via ${LAN_if} ${fwcmd} add 01000 allow tcp from any to ${LAN_IP} 8080 in via ${LAN_if} ### PortalSite - Forwarding: ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any 80,8080,443 in via ${LAN_if} ### Package Detour ${fwcmd} add 01200 allow all from any to any out via ${LAN_if} ____________________________________________________________________________ Every positiv type of help will be very appreciated !!! Thanks, Leander P.S. Additionally: This is my first firewallscript - so if this seems to be to ugly for you - feel free to give me some NewBee tips and tricks! ;) THX From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 21 04:03:53 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20FBB106566C for ; Tue, 21 Oct 2008 04:03:53 +0000 (UTC) (envelope-from jhay@meraka.csir.co.za) Received: from zibbi.meraka.csir.co.za (zibbi.meraka.csir.co.za [IPv6:2001:4200:7000:2::1]) by mx1.freebsd.org (Postfix) with ESMTP id 42BD18FC13 for ; Tue, 21 Oct 2008 04:03:52 +0000 (UTC) (envelope-from jhay@meraka.csir.co.za) Received: by zibbi.meraka.csir.co.za (Postfix, from userid 3973) id 8A3F733C7F; Tue, 21 Oct 2008 06:03:49 +0200 (SAST) Date: Tue, 21 Oct 2008 06:03:49 +0200 From: John Hay To: "Leander S." Message-ID: <20081021040349.GA29232@zibbi.meraka.csir.co.za> References: <48FCF5DA.5060802@googlemail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48FCF5DA.5060802@googlemail.com> User-Agent: Mutt/1.4.2.1i Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW + Portforwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2008 04:03:53 -0000 On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote: > Hi, > > I'm trying to set up something like a HotSpot. Goal is it to force > unregistred users to get redirected to the Captive Portalsite where > they'll be able to agree my licence therms and get some information ... > etc. ... > > So fact is I need an IPFW rule which forwards Port 80,443,8080 Traffic > to another Port i.e. 8080 --> where my Apache will already wait for > serving the Captive Portalsite back to the request. > > So I did read the man and saw something like the fwd rule and the Kernel > Option for it - so I added the option - rcompiled the Kernel and gave my > Firewall the following fwd rule in an extra script: > > ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any > 80,443,8080 in via ${LAN_if} You have to catch it where it is going out and not in. Fwd only works when packets are out bound. John -- John Hay -- John.Hay@meraka.csir.co.za / jhay@FreeBSD.org From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 21 04:46:50 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BCD81065670 for ; Tue, 21 Oct 2008 04:46:50 +0000 (UTC) (envelope-from rik@inse.ru) Received: from mail.inse.ru (mail.inse.ru [144.206.128.1]) by mx1.freebsd.org (Postfix) with ESMTP id 365548FC0A for ; Tue, 21 Oct 2008 04:46:49 +0000 (UTC) (envelope-from rik@inse.ru) Received: from www.inse.ru (www.inse.ru [144.206.128.1]) by mail.inse.ru (Postfix) with ESMTPSA id 12F5533C51; Tue, 21 Oct 2008 08:46:48 +0400 (MSD) Message-ID: <48FD5ED0.2030909@localhost.inse.ru> Date: Tue, 21 Oct 2008 08:47:12 +0400 From: Roman Kurakin User-Agent: Thunderbird 2.0.0.16 (X11/20080723) MIME-Version: 1.0 To: John Hay References: <48FCF5DA.5060802@googlemail.com> <20081021040349.GA29232@zibbi.meraka.csir.co.za> In-Reply-To: <20081021040349.GA29232@zibbi.meraka.csir.co.za> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "Leander S." , freebsd-ipfw@freebsd.org Subject: Re: IPFW + Portforwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2008 04:46:50 -0000 John Hay wrote: > On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote: > >> Hi, >> >> I'm trying to set up something like a HotSpot. Goal is it to force >> unregistred users to get redirected to the Captive Portalsite where >> they'll be able to agree my licence therms and get some information ... >> etc. ... >> >> So fact is I need an IPFW rule which forwards Port 80,443,8080 Traffic >> to another Port i.e. 8080 --> where my Apache will already wait for >> serving the Captive Portalsite back to the request. >> >> So I did read the man and saw something like the fwd rule and the Kernel >> Option for it - so I added the option - rcompiled the Kernel and gave my >> Firewall the following fwd rule in an extra script: >> >> ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any >> 80,443,8080 in via ${LAN_if} >> Try to make the rule stateful, eq add 'setup keep-state'. Also add some logging in the rule and add the last one additional deny with the logging. > You have to catch it where it is going out and not in. Fwd only works > when packets are out bound. > But how this works for me? ipfw fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24 to 172.22.4.254 dst-port 3128 setup in via vr0 keep-state rik > John > From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 21 06:10:10 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE9C71065682 for ; Tue, 21 Oct 2008 06:10:10 +0000 (UTC) (envelope-from jhay@meraka.csir.co.za) Received: from zibbi.meraka.csir.co.za (zibbi.meraka.csir.co.za [IPv6:2001:4200:7000:2::1]) by mx1.freebsd.org (Postfix) with ESMTP id E3F248FC19 for ; Tue, 21 Oct 2008 06:10:09 +0000 (UTC) (envelope-from jhay@meraka.csir.co.za) Received: by zibbi.meraka.csir.co.za (Postfix, from userid 3973) id 7034E33C6A; Tue, 21 Oct 2008 08:10:05 +0200 (SAST) Date: Tue, 21 Oct 2008 08:10:05 +0200 From: John Hay To: Roman Kurakin Message-ID: <20081021061005.GA34936@zibbi.meraka.csir.co.za> References: <48FCF5DA.5060802@googlemail.com> <20081021040349.GA29232@zibbi.meraka.csir.co.za> <48FD5ED0.2030909@localhost.inse.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48FD5ED0.2030909@localhost.inse.ru> User-Agent: Mutt/1.4.2.1i Cc: "Leander S." , freebsd-ipfw@freebsd.org Subject: Re: IPFW + Portforwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2008 06:10:10 -0000 On Tue, Oct 21, 2008 at 08:47:12AM +0400, Roman Kurakin wrote: > John Hay wrote: > >On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote: > > > >>Hi, > >> > >>I'm trying to set up something like a HotSpot. Goal is it to force > >>unregistred users to get redirected to the Captive Portalsite where > >>they'll be able to agree my licence therms and get some information ... > >>etc. ... > >> > >>So fact is I need an IPFW rule which forwards Port 80,443,8080 Traffic > >>to another Port i.e. 8080 --> where my Apache will already wait for > >>serving the Captive Portalsite back to the request. > >> > >>So I did read the man and saw something like the fwd rule and the Kernel > >>Option for it - so I added the option - rcompiled the Kernel and gave my > >>Firewall the following fwd rule in an extra script: > >> > >> ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any > >>80,443,8080 in via ${LAN_if} > >> > Try to make the rule stateful, eq add 'setup keep-state'. Also add some > logging in the rule > and add the last one additional deny with the logging. Adding logging is a good idea. Does keep-state work with fwd? I did not know that. I just assumed that it would not. > >You have to catch it where it is going out and not in. Fwd only works > >when packets are out bound. > > > But how this works for me? > > ipfw fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24 to > 172.22.4.254 dst-port 3128 setup in via vr0 keep-state I don't know. I did not think it will work. The way I understand it, is that fwd is a little like routing, it does not change the ip packet, so in effect it only change the mac address of the next hop and the interface, if needed. One other thing that might be a problem is if ipfw was just loaded as a module and not compiled in. There were reports that fwd does not work with the module. On all the boxes that I use fwd, ipfw is compiled into the kernel. John -- John Hay -- John.Hay@meraka.csir.co.za / jhay@FreeBSD.org From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 21 10:45:37 2008 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 74CBC106566B; Tue, 21 Oct 2008 10:45:37 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 4CD138FC08; Tue, 21 Oct 2008 10:45:37 +0000 (UTC) (envelope-from linimon@FreeBSD.org) Received: from freefall.freebsd.org (linimon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id m9LAjbLK042030; Tue, 21 Oct 2008 10:45:37 GMT (envelope-from linimon@freefall.freebsd.org) Received: (from linimon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id m9LAjbk5042026; Tue, 21 Oct 2008 10:45:37 GMT (envelope-from linimon) Date: Tue, 21 Oct 2008 10:45:37 GMT Message-Id: <200810211045.m9LAjbk5042026@freefall.freebsd.org> To: linimon@FreeBSD.org, freebsd-bugs@FreeBSD.org, freebsd-ipfw@FreeBSD.org From: linimon@FreeBSD.org Cc: Subject: Re: kern/128260: [ipfw] [patch] ipfw_divert damages IPv6 packets X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2008 10:45:37 -0000 Synopsis: [ipfw] [patch] ipfw_divert damages IPv6 packets Responsible-Changed-From-To: freebsd-bugs->freebsd-ipfw Responsible-Changed-By: linimon Responsible-Changed-When: Tue Oct 21 10:43:36 UTC 2008 Responsible-Changed-Why: Over to maintainer(s). http://www.freebsd.org/cgi/query-pr.cgi?pr=128260 From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 21 11:29:50 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 978AE1065680 for ; Tue, 21 Oct 2008 11:29:50 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from mail.ciam.ru (mail.ciam.ru [213.247.195.75]) by mx1.freebsd.org (Postfix) with ESMTP id 561728FC13 for ; Tue, 21 Oct 2008 11:29:50 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from dhcp250-210.yandex.ru ([87.250.250.210]) by mail.ciam.ru with esmtpa (Exim 4.x) id 1KsFAc-00023k-UJ; Tue, 21 Oct 2008 15:13:02 +0400 Message-ID: <48FDB93E.9030604@FreeBSD.org> Date: Tue, 21 Oct 2008 15:13:02 +0400 From: Sergey Matveychuk User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: John Hay References: <48FCF5DA.5060802@googlemail.com> <20081021040349.GA29232@zibbi.meraka.csir.co.za> <48FD5ED0.2030909@localhost.inse.ru> <20081021061005.GA34936@zibbi.meraka.csir.co.za> In-Reply-To: <20081021061005.GA34936@zibbi.meraka.csir.co.za> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "Leander S." , freebsd-ipfw@freebsd.org, Roman Kurakin Subject: Re: IPFW + Portforwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2008 11:29:50 -0000 John Hay wrote: > On Tue, Oct 21, 2008 at 08:47:12AM +0400, Roman Kurakin wrote: >> John Hay wrote: >>> On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote: >>> You have to catch it where it is going out and not in. Fwd only works >>> when packets are out bound. >>> >> But how this works for me? >> >> ipfw fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24 to >> 172.22.4.254 dst-port 3128 setup in via vr0 keep-state > > I don't know. I did not think it will work. The way I understand it, > is that fwd is a little like routing, it does not change the ip > packet, so in effect it only change the mac address of the next hop > and the interface, if needed. No. Really it does not meter where a packet was caught. It's marked for forwarding if it's matched with a fwd rule. -- Dixi. Sem.