From owner-freebsd-questions@FreeBSD.ORG Thu Feb 8 19:32:41 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 1FB0416A402 for ; Thu, 8 Feb 2007 19:32:41 +0000 (UTC) (envelope-from erik@cepheid.org) Received: from mail.cepheid.org (wintermute.cepheid.org [64.92.165.98]) by mx1.freebsd.org (Postfix) with ESMTP id D7A1F13C48D for ; Thu, 8 Feb 2007 19:32:40 +0000 (UTC) (envelope-from erik@cepheid.org) Received: by mail.cepheid.org (Postfix, from userid 1006) id BA04317129; Thu, 8 Feb 2007 13:32:39 -0600 (CST) Date: Thu, 8 Feb 2007 13:32:39 -0600 From: Erik Osterholm To: freebsd-questions@freebsd.org Message-ID: <20070208193239.GA87482@idoru.cepheid.org> Mail-Followup-To: Erik Osterholm , freebsd-questions@freebsd.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="wac7ysb48OaltWcw" Content-Disposition: inline User-Agent: Mutt/1.4.2.2i Subject: PF + if_bridge + rdr: rdr to bridge? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Feb 2007 19:32:41 -0000 --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Hi all, I have a network set up as such: 192.168.12.14 ----- em1-----em0 ----- | A |-------| B |-------| C | ----- ----- ----- 192.168.12.13 192.168.12.15 B is bridging with if_bridge. C hosts a webserver. A is the client. I'm trying to selectively redirect connections from A -> C to instead talk to a service listening on B's bridge0. Nothing I try seems to work, though I could have sworn that I'd gotten this working before. Currently, connections simply hang when the rdr rule is in effect. They pass through fine if I remove the rule or disable pf. pf.conf: -------- ext_if="em0" int_if="em1" bridge_if="bridge0" local_addr="(bridge0)" rdr pass on $int_if proto tcp from any to any port 80 -> $local_addr port 80 pass in all pass out all output of ifconfig: ------------------- em0: flags=8943 mtu 1500 options=8 ether 00:30:48:43:7d:f8 media: Ethernet autoselect (1000baseTX ) status: active em1: flags=8943 mtu 1500 options=8 ether 00:30:48:43:7d:f9 media: Ethernet autoselect (1000baseTX ) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff000000 bridge0: flags=8843 mtu 1500 inet 192.168.12.14 netmask 0xffffff00 broadcast 192.168.12.255 ether ce:ea:e5:cd:48:bb priority 32768 hellotime 2 fwddelay 15 maxage 20 member: em1 flags=3 member: em0 flags=3 rc.conf: -------- usbd_enable="YES" sendmail="NONE" cloned_interfaces="bridge0" ifconfig_bridge0="inet 192.168.12.14 addm em0 addm em1 up" ifconfig_em0="up" ifconfig_em1="up" pf_enable="YES" And I'll attach my dmesg. Does anyone have any ideas or suggestions? Thanks, Erik --wac7ysb48OaltWcw Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=dmesg Copyright (c) 1992-2007 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 6.2-RELEASE #0: Fri Jan 12 10:40:27 UTC 2007 root@dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC ACPI APIC Table: Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Celeron(R) CPU 2.00GHz (2000.35-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0xf29 Stepping = 9 Features=0xbfebfbff Features2=0x4400> real memory = 528416768 (503 MB) avail memory = 507670528 (484 MB) ioapic0 irqs 0-23 on motherboard kbd1 at kbdmux0 ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) acpi0: on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0 cpu0: on acpi0 acpi_button0: on acpi0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 agp0: mem 0xe0000000-0xe7ffffff,0xec100000-0xec17ffff irq 16 at device 2.0 on pci0 agp0: detected 8060k stolen memory agp0: aperture size is 128M uhci0: port 0xb800-0xb81f irq 16 at device 29.0 on pci0 uhci0: [GIANT-LOCKED] usb0: on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1: port 0xb000-0xb01f irq 19 at device 29.1 on pci0 uhci1: [GIANT-LOCKED] usb1: on uhci1 usb1: USB revision 1.0 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered uhci2: port 0xb400-0xb41f irq 18 at device 29.2 on pci0 uhci2: [GIANT-LOCKED] usb2: on uhci2 usb2: USB revision 1.0 uhub2: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub2: 2 ports with 2 removable, self powered ehci0: mem 0xec180000-0xec1803ff irq 23 at device 29.7 on pci0 ehci0: [GIANT-LOCKED] usb3: EHCI version 1.0 usb3: companion controllers, 2 ports each: usb0 usb1 usb2 usb3: on ehci0 usb3: USB revision 2.0 uhub3: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub3: 6 ports with 6 removable, self powered pcib1: at device 30.0 on pci0 pci1: on pcib1 em0: port 0xa000-0xa03f mem 0xec000000-0xec01ffff irq 22 at device 5.0 on pci1 em0: Ethernet address: 00:30:48:43:7d:f8 em1: port 0xa400-0xa43f mem 0xec020000-0xec03ffff irq 23 at device 6.0 on pci1 em1: Ethernet address: 00:30:48:43:7d:f9 isab0: at device 31.0 on pci0 isa0: on isab0 atapci0: port 0x1f0-0x1f7,0x3f6,0x170-0x177,0x376,0xcc00-0xcc0f mem 0xec181000-0xec1813ff at device 31.1 on pci0 ata0: on atapci0 ata1: on atapci0 pci0: at device 31.3 (no driver attached) acpi_tz0: on acpi0 fdc0: port 0x3f0-0x3f5,0x3f7 irq 6 drq 2 on acpi0 fdc0: [FAST] fd0: <1440-KB 3.5" drive> on fdc0 drive 0 sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A sio1: <16550A-compatible COM port> port 0x2f8-0x2ff irq 3 on acpi0 sio1: type 16550A ppc0: port 0x378-0x37f,0x778-0x77b irq 7 drq 3 on acpi0 ppc0: SMC-like chipset (ECP/EPP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/9 bytes threshold ppbus0: on ppc0 plip0: on ppbus0 lpt0: on ppbus0 lpt0: Interrupt-driven port ppi0: on ppbus0 atkbdc0: port 0x60,0x64 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] pmtimer0 on isa0 orm0: at iomem 0xcc000-0xcd7ff,0xce000-0xcf7ff on isa0 sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounter "TSC" frequency 2000345264 Hz quality 800 Timecounters tick every 1.000 msec ad0: 38166MB at ata0-master UDMA100 acd0: CDROM at ata1-master UDMA33 Trying to mount root from ufs:/dev/ad0s1a bridge0: Ethernet address: ea:cb:bc:08:90:86 em0: link state changed to UP em1: link state changed to UP em0: link state changed to DOWN em1: link state changed to DOWN em1: link state changed to UP em0: link state changed to UP em1: promiscuous mode disabled em0: promiscuous mode disabled em1: link state changed to DOWN em0: link state changed to DOWN bridge0: Ethernet address: ce:ea:e5:cd:48:bb em0: promiscuous mode enabled em1: promiscuous mode enabled em0: link state changed to UP em1: link state changed to UP --wac7ysb48OaltWcw--