Date: Sat, 31 Dec 2005 08:33:29 -0500 From: "Robert Collins" <rcollins@hwi.buffalo.edu> To: <freebsd-questions@freebsd.org> Subject: Re: forwarding http requests with ipfw Message-ID: <007801c60e0e$c9baa060$6601a8c0@dhcp.hwi.buffalo.edu> References: <003d01c60dc8$2090f930$6601a8c0@dhcp.hwi.buffalo.edu> <6.2.3.4.2.20051230215226.03679d60@cobalt.antimatter.net> <006601c60dd4$5319b7a0$6601a8c0@dhcp.hwi.buffalo.edu> <6.2.3.4.2.20051230223713.05d19280@cobalt.antimatter.net> <006c01c60ddb$6167cf70$6601a8c0@dhcp.hwi.buffalo.edu> <6.2.3.4.2.20051231012747.06857a90@cobalt.antimatter.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> > What's happening here is that since the dest address is not changed, the > packet never leaves the machine with the fwd rule. > > If you want to see it, make your fwd rule look like this: > > fwd 216.136.204.117 log tcp from any to me dst-port 80 > > then tail -f /var/log/security when you try to browse to "privatehost". I was thinking that maybe the packet was never leaving the machine for that very reason, but then I started to wonder what purpose does IPFIREWALL_FORWARD_EXTENDED serve. The manpage states: With the additional option options IPFIREWALL_FORWARD_EXTENDED all safeguards are removed and it also makes it possible to redirect packets destined to locally configured IP addresses. Redirect them where? Just for kicks I tried a little test to see if the packet was getting handled by the "destination address". I did a "sshd -p 80", and wasn't able to connect to sshd. On the other hand, I was able to connect by doing a "sshd -p 81". So they aren't being "redirected" to the destination address. They aren't being redirected to the source address and they aren't going to lo0. So where are they being "redirected" to? Which is why I figured I was doing something wrong. If it's true that the packets never leave the machine, then what is the purpose of IPFIREWALL_FORWARD_EXTENDED? What's an example of a use for it? ipfw fwd <address> log doesn't help with my understanding of what is going on. I also tried logging my match-all rule. Nothing there either. The packet comes in, matches the fwd rule and disappears. thanks -rcollins
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?007801c60e0e$c9baa060$6601a8c0>