From owner-freebsd-questions  Sun Sep 12 19: 5:31 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from templar.fgi.net (templar.fgi.net [206.101.112.9])
	by hub.freebsd.org (Postfix) with ESMTP id 6FB0614F85
	for <freebsd-questions@FreeBSD.ORG>; Sun, 12 Sep 1999 19:05:23 -0700 (PDT)
	(envelope-from darnold@fgi.net)
Received: from darnold.fgi.net (usr5tc-251.fgi.net [208.130.70.251])
	by templar.fgi.net (Pro-8.9.3/Pro-8.9.3) with SMTP id VAA02162
	for <freebsd-questions@FreeBSD.ORG>; Sun, 12 Sep 1999 21:05:19 -0500
From: Dick Arnold <darnold@fgi.net>
To: freebsd-questions@FreeBSD.ORG
Subject: Re: ipfw and divert question.
Date: Sun, 12 Sep 1999 21:00:30 -0500
X-Mailer: KMail [version 1.0.21]
Content-Type: text/plain
References: <199909130100.SAA04953@c956029-a.haywd2.sfba.home.com>
MIME-Version: 1.0
Message-Id: <99091221050300.00405@darnold.fgi.net>
Content-Transfer-Encoding: 8bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sun, 12 Sep 1999, Sean J. Schluntz wrote:
> Hello, I'm having problems getting divert to work correctly with ipfw under FreeBSD 3.2.  I'm trying to get divert working so I can have the web server running as web and bound to 8000 insted of having it become root at all.
> 
> I've got the system up and running just fine, got ipfw currently running in OPEN so I can test divert with no interfienence.  I have:
> 
> options         IPFIREWALL
> options         IPDIVERT
> options         IPFIREWALL_VERBOSE
> 
> compiled in to the kernel.  But I seem to be missing something in my understanding of ipfw.
> 
> These are the two versions I have been playing with:
> 
> ipfw add divert all from port 80 to port 8000
> 
> gets me "ipfw: error: illegal divert port"
> 
> and:
> 
> ipfw add divert 80 tcp from any to any 8000
> 
> goes in but does not appear to do anything.
> 
> Here is an output of ipfw show:
> 
> 00100     0       0 allow ip from any to any via lo0
> 00200     0       0 deny ip from any to 127.0.0.0/8
> 65000 11603 6175933 allow ip from any to any
> 65100     0       0 divert 80 tcp from any to any 8000
> 65535     0       0 deny ip from any to any
> 
> 
The rule at 65100 needs to be inserted prior to rule at 65000.
As you can see by rule counts everything meets rule 65000 so
it never makes it to 65100.
Dick A.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message