From owner-freebsd-questions@FreeBSD.ORG Sat Dec 31 07:25:32 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07DCD16A41F for ; Sat, 31 Dec 2005 07:25:32 +0000 (GMT) (envelope-from rcollins@hwi.buffalo.edu) Received: from mail.hwi.buffalo.edu (mail.hwi.buffalo.edu [128.205.165.215]) by mx1.FreeBSD.org (Postfix) with SMTP id 6B35F43D5E for ; Sat, 31 Dec 2005 07:25:31 +0000 (GMT) (envelope-from rcollins@hwi.buffalo.edu) Received: (qmail 92549 invoked by uid 90); 31 Dec 2005 02:25:30 -0500 Received: from 10.1.55.4 by cliff.hwi.buffalo.edu (envelope-from , uid 82) with qmail-scanner-1.25 (clamdscan: 0.87/1146. Clear:RC:1(10.1.55.4):. Processed in 0.203763 secs); 31 Dec 2005 07:25:30 -0000 X-Qmail-Scanner-Mail-From: rcollins@hwi.buffalo.edu via cliff.hwi.buffalo.edu X-Qmail-Scanner: 1.25 (Clear:RC:1(10.1.55.4):. Processed in 0.203763 secs) Received: from unknown (HELO Infernus) (10.1.55.4) by mail.hwi.buffalo.edu with SMTP; 31 Dec 2005 02:25:30 -0500 Message-ID: <006c01c60ddb$6167cf70$6601a8c0@dhcp.hwi.buffalo.edu> From: "Robert Collins" To: References: <003d01c60dc8$2090f930$6601a8c0@dhcp.hwi.buffalo.edu> <6.2.3.4.2.20051230215226.03679d60@cobalt.antimatter.net> <006601c60dd4$5319b7a0$6601a8c0@dhcp.hwi.buffalo.edu> <6.2.3.4.2.20051230223713.05d19280@cobalt.antimatter.net> Date: Sat, 31 Dec 2005 02:25:30 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: Re: forwarding http requests with ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Dec 2005 07:25:32 -0000 ----- Original Message ----- From: "Glenn Dawson" To: "Robert Collins" ; Sent: Saturday, December 31, 2005 1:46 AM Subject: Re: forwarding http requests with ipfw > At 10:34 PM 12/30/2005, Robert Collins wrote: >>>At 09:07 PM 12/30/2005, Robert Collins wrote: >>>>I've got a situation where I've got an internal host using a private >>>>ip/domainname. Let's say for the sake of this discussion the host is >>>>privatehost.internal.freebsd.org. privatehost isn't running a webserver. >>>>But I would like machines on the internal.freebsd.org network to query >>>>privatehost as if it was. When one of these machines queries privatehost >>>>I would like privatehost to forward those requests to my webserver, >>>>www.freebsd.org, so that it can handle the request. In order to >>>>accomplish that I have done the following: >>>> >>>>My kernel was compiled with these options: >>>>options IPFIREWALL >>>>options IPFIREWALL_FORWARD >>>>options IPFIREWALL_FORWARD_EXTENDED >>>> >>>> >>>>"ipfw list" looks like this: >>>>00100 allow ip from any to any via lo0 >>>>00110 deny ip from any to 127.0.0.0/8 >>>>00120 deny ip from 127.0.0.0/8 to any >>>>10000 fwd 216.136.204.117 tcp from any to me dst-port 80 >>>>65000 allow ip from any to any >>>>65535 deny ip from any to any >>>> >>>>The problem I am having is that it seems the packets never leave >>>>privatehost. tcpdump shows packets coming in destined for port 80. "ipfw >>>>show" shows that packets are matching my rule, but tcpdump never shows >>>>any packets going out to 216.136.204.117. tcpdump on 216.136.204.117 >>>>also shows that no packets are being recieved. I did a tcpdump on lo0 >>>>just for kicks, and that didn't show anything. It seems as if the >>>>packets are just disappearing. Someone on #freebsdhelp suggested doing a >>>>"sysctl -w net.inet.ip.forwarding=1" but that didn't help the situation. >>>>Is there something minor I'm missing here...or am I totally off in my >>>>understanding of how "ipfw fwd" works? >>> >>>To quote the ipfw man page: >>> >>>"The fwd action does not change the contents of the packet at all. In >>>particular, the destination address remains unmodified, so packets >>>forwarded to another system will usually be rejected by that system >>>unless there is a matching rule on that system to capture them." >>> >>>You probably need to re-think what you are trying to do. >> >>My understanding of this portion of the man page is that the machine >>receiving the packet, in this case www.freebsd.org, needs to be prepared >>to recive a packet whose destination address is not it's own. If I am >>correct in my interpretation then this part of the man page is irrelivent >>to my problem. My question is not, why is www.freebsd.org not receiving >>the packet. My question is, why is privatehost.internal.freebsd.org not >>sending the packet. > > What tcpdump rules are you using to look for packets leaving > "privatehost"? Same question for packets arriving at 216.136.204.117? > On both machines I tried "tcpdump -n port 80". "privatehost" says: 02:15:32.542383 IP 10.1.35.10.1732 > 10.1.35.72.80: S 2200576146:2200576146(0) win 65535 There is no output for 216.136.204.117. I've also tried " tcpdump -n host 216.136.204.117" on privatehost. That rule doesn't produce any output. -rcollins