From owner-freebsd-net@FreeBSD.ORG  Mon Sep 22 14:24:52 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E01911065689
	for <freebsd-net@freebsd.org>; Mon, 22 Sep 2008 14:24:52 +0000 (UTC)
	(envelope-from pjd@garage.freebsd.pl)
Received: from mail.garage.freebsd.pl (chello087206045082.chello.pl
	[87.206.45.82]) by mx1.freebsd.org (Postfix) with ESMTP id 2A27B8FC19
	for <freebsd-net@freebsd.org>; Mon, 22 Sep 2008 14:24:52 +0000 (UTC)
	(envelope-from pjd@garage.freebsd.pl)
Received: by mail.garage.freebsd.pl (Postfix, from userid 65534)
	id 4077945CA6; Mon, 22 Sep 2008 16:24:50 +0200 (CEST)
Received: from localhost (pjd.wheel.pl [10.0.1.1])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.garage.freebsd.pl (Postfix) with ESMTP id F1CF145CA0;
	Mon, 22 Sep 2008 16:24:43 +0200 (CEST)
Date: Mon, 22 Sep 2008 16:24:52 +0200
From: Pawel Jakub Dawidek <pjd@FreeBSD.org>
To: Roman Kurakin <rik@inse.ru>
Message-ID: <20080922142452.GC6797@garage.freebsd.pl>
References: <20080919075633.GA4333@garage.freebsd.pl>
	<20080919121602.GC4333@garage.freebsd.pl>
	<200809191538.02698.max@love2party.net>
	<20080922102209.GB2468@garage.freebsd.pl>
	<48D79E1C.3060003@inse.ru>
	<20080922134830.GA6797@garage.freebsd.pl>
	<48D7A797.6070009@inse.ru>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="rQ2U398070+RC21q"
Content-Disposition: inline
In-Reply-To: <48D7A797.6070009@inse.ru>
User-Agent: Mutt/1.4.2.3i
X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc
X-OS: FreeBSD 8.0-CURRENT i386
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on 
	mail.garage.freebsd.pl
X-Spam-Level: 
X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 
	autolearn=ham version=3.0.4
Cc: Max Laier <max@love2party.net>, freebsd-net@freebsd.org
Subject: Re: Firewall redirect doesn't work any more...
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Sep 2008 14:24:53 -0000


--rQ2U398070+RC21q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Sep 22, 2008 at 06:11:35PM +0400, Roman Kurakin wrote:
> Pawel Jakub Dawidek wrote:
> >On Mon, Sep 22, 2008 at 05:31:08PM +0400, Roman Kurakin wrote:
> > =20
> >>So, could you draw you connections and related firewall rules. And the=
=20
> >>one you
> >>are trying to setup. I will also try to update the machine to the most=
=20
> >>recent 7 to
> >>see if my setup will stop working. Currently machine runs early=20
> >>September checkout.
> >>   =20
> >
> >client (10.0.1.1) -----> bridge (10.0.5.123) -----> server (10.0.0.2)=20
> >
> >ifnet =3D "bridge0"
> >rdr on $ifnet proto tcp from any to any port 12345 -> 10.0.5.123 port 12=
345
> >rdr on $ifnet proto udp from any to any port 12345 -> 10.0.5.123 port 12=
345
> > =20
> Try also to play with stateful switches for pf. [...]

Adding the following made even UDP non-working:

pass in on $ifnet proto udp from any to any keep state

For TCP there was no difference.

> [...] By the way do you have=20
> any global that affects
> defaults?

Besides net.inet.ip.forwarding=3D1, no, although I tried various
settings for net.link.bridge.*.

> >Although it works even with bridge0 and TCP connections, but when bridge
> >machine is treated as gateway, eg.
> >
> >server# nc -l 12345
> >client# route add 1.0.0.0/24 10.0.5.123
> >client# nc 10.0.0.2 12345
> > =20
> And what about ipfw variant?

For the first (bridge) case ipfw didn't work at all. No packets were
redirected.  I haven't tried for the gateway case, because pf works
there.

--=20
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--rQ2U398070+RC21q
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFI16qzForvXbEpPzQRAtc1AKCFTASu1qJdwYSg/a+Csa1VFlksJwCgw9lm
0zKrsqMQziY2ZK5eMBrTSCU=
=pwfX
-----END PGP SIGNATURE-----

--rQ2U398070+RC21q--