Date: Sat, 3 Mar 2001 21:19:58 -0500 From: Chris Johnson <cjohnson@palomine.net> To: Don Lewis <Don.Lewis@tsc.tdk.com> Cc: stable@FreeBSD.ORG Subject: Re: Did ipfw fwd just break? Message-ID: <20010303211958.A50525@palomine.net> In-Reply-To: <200103040211.SAA24825@salsa.gv.tsc.tdk.com>; from Don.Lewis@tsc.tdk.com on Sat, Mar 03, 2001 at 06:11:58PM -0800 References: <20010303203733.A49750@palomine.net> <200103040211.SAA24825@salsa.gv.tsc.tdk.com>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On Sat, Mar 03, 2001 at 06:11:58PM -0800, Don Lewis wrote: > On Mar 3, 8:37pm, Chris Johnson wrote: > } Subject: Did ipfw fwd just break? > } > } --EeQfGwPcQSOJBaQU > } Content-Type: text/plain; charset=us-ascii > } Content-Disposition: inline > } > } For a long time I've been running a transparent SMTP proxy on my firewall, > } using this rule: > } > } ipfw fwd 127.0.0.1 tcp from any to any 25 in recv fxp0 > } > } It's always worked just as I expected. > } > } I updated my system today (the previous update was on February 12), and now, > } even though "ipfw show" indicates that the above rule is matching, the > } connection goes right through to its original destination (i.e. it's not > } forwarded to 127.0.0.1) just as if the rule weren't there. Just prior to > } rebooting the newly updated system, the SMTP connections were forwarded to > } 127.0.0.1, exactly according to plan. > > I can believe that it got broken by some changes to ip_input.c in the > last few days that were intended to prevent outsiders from connecting > to sockets bound to the loopback interface or an interface on the > far side of the host that the administrator hoped were private. > > If you have rev 1.130.2.17 of ip_input.c, you should be able to disable > this check by setting ths sysctl variable net.inet.ip.check_interface to > 0. Thanks! That's just the ticket. Now, is it possible to protect myself from whatever evil check_interface is supposed to protect me from, while still doing my transparent proxying? Or do I have to choose one or the other? Chris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6oaZNyeUEMvtGLWERAgTPAKD8oQHjAc1dui61zxKoPXk1Ch43/gCfXauz QdzxECOL0fBIVu6Lyk/W3yU= =sCqT -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010303211958.A50525>