From owner-freebsd-questions@FreeBSD.ORG Sat Dec 31 06:35:01 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA27816A41F for ; Sat, 31 Dec 2005 06:35:01 +0000 (GMT) (envelope-from rcollins@hwi.buffalo.edu) Received: from mail.hwi.buffalo.edu (mail.hwi.buffalo.edu [128.205.165.215]) by mx1.FreeBSD.org (Postfix) with SMTP id DC39543D55 for ; Sat, 31 Dec 2005 06:35:00 +0000 (GMT) (envelope-from rcollins@hwi.buffalo.edu) Received: (qmail 2596 invoked by uid 90); 31 Dec 2005 01:35:00 -0500 Received: from 10.1.55.4 by cliff.hwi.buffalo.edu (envelope-from , uid 82) with qmail-scanner-1.25 (clamdscan: 0.87/1146. Clear:RC:1(10.1.55.4):. Processed in 0.168806 secs); 31 Dec 2005 06:35:00 -0000 X-Qmail-Scanner-Mail-From: rcollins@hwi.buffalo.edu via cliff.hwi.buffalo.edu X-Qmail-Scanner: 1.25 (Clear:RC:1(10.1.55.4):. Processed in 0.168806 secs) Received: from unknown (HELO Infernus) (10.1.55.4) by mail.hwi.buffalo.edu with SMTP; 31 Dec 2005 01:34:59 -0500 Message-ID: <006601c60dd4$5319b7a0$6601a8c0@dhcp.hwi.buffalo.edu> From: "Robert Collins" To: References: <003d01c60dc8$2090f930$6601a8c0@dhcp.hwi.buffalo.edu> <6.2.3.4.2.20051230215226.03679d60@cobalt.antimatter.net> Date: Sat, 31 Dec 2005 01:34:57 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: Re: forwarding http requests with ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Dec 2005 06:35:02 -0000 > At 09:07 PM 12/30/2005, Robert Collins wrote: >>I've got a situation where I've got an internal host using a private >>ip/domainname. Let's say for the sake of this discussion the host is >>privatehost.internal.freebsd.org. privatehost isn't running a webserver. >>But I would like machines on the internal.freebsd.org network to query >>privatehost as if it was. When one of these machines queries privatehost I >>would like privatehost to forward those requests to my webserver, >>www.freebsd.org, so that it can handle the request. In order to accomplish >>that I have done the following: >> >>My kernel was compiled with these options: >>options IPFIREWALL >>options IPFIREWALL_FORWARD >>options IPFIREWALL_FORWARD_EXTENDED >> >> >>"ipfw list" looks like this: >>00100 allow ip from any to any via lo0 >>00110 deny ip from any to 127.0.0.0/8 >>00120 deny ip from 127.0.0.0/8 to any >>10000 fwd 216.136.204.117 tcp from any to me dst-port 80 >>65000 allow ip from any to any >>65535 deny ip from any to any >> >>The problem I am having is that it seems the packets never leave >>privatehost. tcpdump shows packets coming in destined for port 80. "ipfw >>show" shows that packets are matching my rule, but tcpdump never shows any >>packets going out to 216.136.204.117. tcpdump on 216.136.204.117 also >>shows that no packets are being recieved. I did a tcpdump on lo0 just for >>kicks, and that didn't show anything. It seems as if the packets are just >>disappearing. Someone on #freebsdhelp suggested doing a "sysctl -w >>net.inet.ip.forwarding=1" but that didn't help the situation. Is there >>something minor I'm missing here...or am I totally off in my understanding >>of how "ipfw fwd" works? > > To quote the ipfw man page: > > "The fwd action does not change the contents of the packet at all. In > particular, the destination address remains unmodified, so packets > forwarded to another system will usually be rejected by that system unless > there is a matching rule on that system to capture them." > > You probably need to re-think what you are trying to do. My understanding of this portion of the man page is that the machine receiving the packet, in this case www.freebsd.org, needs to be prepared to recive a packet whose destination address is not it's own. If I am correct in my interpretation then this part of the man page is irrelivent to my problem. My question is not, why is www.freebsd.org not receiving the packet. My question is, why is privatehost.internal.freebsd.org not sending the packet.