From owner-freebsd-net@FreeBSD.ORG  Mon Sep 22 14:11:34 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BC7A51065680;
	Mon, 22 Sep 2008 14:11:34 +0000 (UTC) (envelope-from rik@inse.ru)
Received: from mail.inse.ru (mail.inse.ru [144.206.128.1])
	by mx1.freebsd.org (Postfix) with ESMTP id 77FB98FC0C;
	Mon, 22 Sep 2008 14:11:34 +0000 (UTC) (envelope-from rik@inse.ru)
Received: from [127.0.0.1] (www.inse.ru [144.206.128.1])
	by mail.inse.ru (Postfix) with ESMTPSA id 3E64733C51;
	Mon, 22 Sep 2008 18:11:33 +0400 (MSD)
Message-ID: <48D7A797.6070009@inse.ru>
Date: Mon, 22 Sep 2008 18:11:35 +0400
From: Roman Kurakin <rik@inse.ru>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: Pawel Jakub Dawidek <pjd@FreeBSD.org>
References: <20080919075633.GA4333@garage.freebsd.pl>
	<20080919121602.GC4333@garage.freebsd.pl>
	<200809191538.02698.max@love2party.net>
	<20080922102209.GB2468@garage.freebsd.pl>
	<48D79E1C.3060003@inse.ru>
	<20080922134830.GA6797@garage.freebsd.pl>
In-Reply-To: <20080922134830.GA6797@garage.freebsd.pl>
Content-Type: text/plain; charset=windows-1251; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Max Laier <max@love2party.net>, freebsd-net@freebsd.org
Subject: Re: Firewall redirect doesn't work any more...
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Sep 2008 14:11:34 -0000

Pawel Jakub Dawidek wrote:
> On Mon, Sep 22, 2008 at 05:31:08PM +0400, Roman Kurakin wrote:
>   
>> So, could you draw you connections and related firewall rules. And the 
>> one you
>> are trying to setup. I will also try to update the machine to the most 
>> recent 7 to
>> see if my setup will stop working. Currently machine runs early 
>> September checkout.
>>     
>
> client (10.0.1.1) -----> bridge (10.0.5.123) -----> server (10.0.0.2) 
>
> ifnet = "bridge0"
> rdr on $ifnet proto tcp from any to any port 12345 -> 10.0.5.123 port 12345
> rdr on $ifnet proto udp from any to any port 12345 -> 10.0.5.123 port 12345
>   
Try also to play with stateful switches for pf. By the way do you have 
any global that affects
defaults?
> net.inet.ip.forwarding=1
>
> To test my redirection I run:
>
> server# nc -u -l 12345
> client# nc -u 10.0.0.2 12345
>
> For UDP it works, for TCP it doesn't:
>
> server# nc -l 12345
> client# nc 10.0.0.2 12345
>
> Although it works even with bridge0 and TCP connections, but when bridge
> machine is treated as gateway, eg.
>
> server# nc -l 12345
> client# route add 1.0.0.0/24 10.0.5.123
> client# nc 10.0.0.2 12345
>   
And what about ipfw variant?

rik
>> PS. Also check the mac address issue that was discussed here (case where the
>> brdige0 and the first bridge member share the same MAC).
>>     
>
> That's not the case on my test machines.
>
>