From owner-freebsd-ipfw@FreeBSD.ORG Thu Oct 2 22:41:48 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CB8611065686 for ; Thu, 2 Oct 2008 22:41:48 +0000 (UTC) (envelope-from boinger69@gmail.com) Received: from mail-gx0-f21.google.com (mail-gx0-f21.google.com [209.85.217.21]) by mx1.freebsd.org (Postfix) with ESMTP id 737CC8FC1B for ; Thu, 2 Oct 2008 22:41:48 +0000 (UTC) (envelope-from boinger69@gmail.com) Received: by gxk14 with SMTP id 14so2012562gxk.19 for ; Thu, 02 Oct 2008 15:41:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender :to:subject:mime-version:content-type:x-google-sender-auth; bh=z84iDMLcvcX63l+6AXBmZ0JpBkAJOewcjlyBcaWDESU=; b=Pc9/I5PUh0aHjZZBDwq+p7BRN79MJYTqwuSKn/Q9O5DZEbCUE0kDJdfW0p9dXqC6a6 x5P89mSoXAWnOIbUe/PmhhXf/dwXPiFXWf0rM6gqCo84w6buDezmiau7faM8h8B/b+Te x/CH7zfZGOFzx4Dmfv9dhPqRG0Ss6RsptkaYw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:mime-version:content-type :x-google-sender-auth; b=r4/NFriBOqv4Zp1hJmyjtlxqoJJYAGNuRSHZ8ed8PlxrikqI+pCR0gCkZobHxfdNm/ j8tM6U7z+rD4fzSx7WJ5ZlKKoKS/C7FtEKOs54eNHSpkbwdXg2rfsbZftW7sdnilDUsY h82vqTjETrnWQPrF8g2G+jxNWmTS64HJVkmpc= Received: by 10.151.155.9 with SMTP id h9mr315705ybo.8.1222985557251; Thu, 02 Oct 2008 15:12:37 -0700 (PDT) Received: by 10.150.182.2 with HTTP; Thu, 2 Oct 2008 15:12:37 -0700 (PDT) Message-ID: Date: Thu, 2 Oct 2008 18:12:37 -0400 From: "Dan Johnson" Sender: boinger69@gmail.com To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 X-Google-Sender-Auth: 97e862d9cc55e453 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: IPFW fwd issue. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2008 22:41:49 -0000 After beating my head against this for days I ran out of places to look for information, and almost sent this as a help request instead of an observation. So excuse the present tense. All I am actually trying to accomplish is a simple (This worked flawless last i tried under 4.5) squid transparent proxy. I'm using this rule before the nat rule: 00100 fwd 127.0.0.1,3128 log ip from any to any 80 out When I attempt to hit port 80 on an external server, the security log shows the rule was processed, and claims it was forwarded to 127.0.0.1,3128. OK Watching tcpdump -nnvvei lo0 shows no relevant activity. BUT, watching tcpdump -nnvvei xl1 (external iface) shows the port 80 SYN being sent to the remote web server with the original source ip address from 192.168.0.0/24, still using the destination MAC of my default gateway. This is with or without the squid daemon running. And when i do have it running i have it on the local console with debugging enabled (incase a stray packet actually makes it in.) The same holds true if i setup the fwd to my xl1 interface ip address, or another host ex 192.168.0.30. Running tcpdump (Linux) eth0 in promisc on 192.168.0.30 also doesn't show any traffic being forwarded its way when configured to do so. So I'm inclined to beleive this isn't just an error on tcpdumps part (as there is an open issue reported with tcpdump and ipfw fwd) but that the traffic really isn't being modified. The only thing I was doing that is unique is I recompiled the ipfw module to include -DIPFIREWALL_NAT and -DIPFIREWALL_FORWARD instead of adding the whole mess to the base kernel. After noting that I was using a module, I said screw it, and compiled IPFW into the base kernel, viola now it works fine.