Date: Sat, 3 Mar 2001 21:19:58 -0500 From: Chris Johnson <cjohnson@palomine.net> To: Don Lewis <Don.Lewis@tsc.tdk.com> Cc: stable@FreeBSD.ORG Subject: Re: Did ipfw fwd just break? Message-ID: <20010303211958.A50525@palomine.net> In-Reply-To: <200103040211.SAA24825@salsa.gv.tsc.tdk.com>; from Don.Lewis@tsc.tdk.com on Sat, Mar 03, 2001 at 06:11:58PM -0800 References: <20010303203733.A49750@palomine.net> <200103040211.SAA24825@salsa.gv.tsc.tdk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Kj7319i9nmIyA2yE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Mar 03, 2001 at 06:11:58PM -0800, Don Lewis wrote: > On Mar 3, 8:37pm, Chris Johnson wrote: > } Subject: Did ipfw fwd just break? > }=20 > } --EeQfGwPcQSOJBaQU > } Content-Type: text/plain; charset=3Dus-ascii > } Content-Disposition: inline > }=20 > } For a long time I've been running a transparent SMTP proxy on my firewa= ll, > } using this rule: > }=20 > } ipfw fwd 127.0.0.1 tcp from any to any 25 in recv fxp0 > }=20 > } It's always worked just as I expected. > }=20 > } I updated my system today (the previous update was on February 12), and= now, > } even though "ipfw show" indicates that the above rule is matching, the > } connection goes right through to its original destination (i.e. it's not > } forwarded to 127.0.0.1) just as if the rule weren't there. Just prior to > } rebooting the newly updated system, the SMTP connections were forwarded= to > } 127.0.0.1, exactly according to plan. >=20 > I can believe that it got broken by some changes to ip_input.c in the > last few days that were intended to prevent outsiders from connecting > to sockets bound to the loopback interface or an interface on the > far side of the host that the administrator hoped were private. >=20 > If you have rev 1.130.2.17 of ip_input.c, you should be able to disable > this check by setting ths sysctl variable net.inet.ip.check_interface to > 0. Thanks! That's just the ticket. Now, is it possible to protect myself from whatever evil check_interface is supposed to protect me from, while still doing my transparent proxying? Or = do I have to choose one or the other? Chris --Kj7319i9nmIyA2yE Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6oaZNyeUEMvtGLWERAgTPAKD8oQHjAc1dui61zxKoPXk1Ch43/gCfXauz QdzxECOL0fBIVu6Lyk/W3yU= =sCqT -----END PGP SIGNATURE----- --Kj7319i9nmIyA2yE-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010303211958.A50525>