From owner-freebsd-net@FreeBSD.ORG Mon Sep 22 13:48:33 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0A4BA1065670 for ; Mon, 22 Sep 2008 13:48:33 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (chello087206045082.chello.pl [87.206.45.82]) by mx1.freebsd.org (Postfix) with ESMTP id 4C4E98FC1C for ; Mon, 22 Sep 2008 13:48:32 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 0368D45C9B; Mon, 22 Sep 2008 15:48:29 +0200 (CEST) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id B0E9745B36; Mon, 22 Sep 2008 15:48:22 +0200 (CEST) Date: Mon, 22 Sep 2008 15:48:30 +0200 From: Pawel Jakub Dawidek To: Roman Kurakin Message-ID: <20080922134830.GA6797@garage.freebsd.pl> References: <20080919075633.GA4333@garage.freebsd.pl> <20080919121602.GC4333@garage.freebsd.pl> <200809191538.02698.max@love2party.net> <20080922102209.GB2468@garage.freebsd.pl> <48D79E1C.3060003@inse.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ew6BAiZeqk4r7MaW" Content-Disposition: inline In-Reply-To: <48D79E1C.3060003@inse.ru> User-Agent: Mutt/1.4.2.3i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 8.0-CURRENT i386 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: Max Laier , freebsd-net@freebsd.org Subject: Re: Firewall redirect doesn't work any more... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 13:48:33 -0000 --ew6BAiZeqk4r7MaW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 22, 2008 at 05:31:08PM +0400, Roman Kurakin wrote: > So, could you draw you connections and related firewall rules. And the=20 > one you > are trying to setup. I will also try to update the machine to the most=20 > recent 7 to > see if my setup will stop working. Currently machine runs early=20 > September checkout. client (10.0.1.1) -----> bridge (10.0.5.123) -----> server (10.0.0.2)=20 ifnet =3D "bridge0" rdr on $ifnet proto tcp from any to any port 12345 -> 10.0.5.123 port 12345 rdr on $ifnet proto udp from any to any port 12345 -> 10.0.5.123 port 12345 net.inet.ip.forwarding=3D1 To test my redirection I run: server# nc -u -l 12345 client# nc -u 10.0.0.2 12345 For UDP it works, for TCP it doesn't: server# nc -l 12345 client# nc 10.0.0.2 12345 Although it works even with bridge0 and TCP connections, but when bridge machine is treated as gateway, eg. server# nc -l 12345 client# route add 1.0.0.0/24 10.0.5.123 client# nc 10.0.0.2 12345 > PS. Also check the mac address issue that was discussed here (case where = the > brdige0 and the first bridge member share the same MAC). That's not the case on my test machines. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --ew6BAiZeqk4r7MaW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFI16IuForvXbEpPzQRAmamAKC/pd1b4K1SO5uzgj0xFtgbv5mQVQCfc5Ie V3Bk3K0r3A4nY4i7othqicE= =BZtj -----END PGP SIGNATURE----- --ew6BAiZeqk4r7MaW--