From owner-freebsd-questions@FreeBSD.ORG Sat Dec 31 13:33:32 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3538B16A41F for ; Sat, 31 Dec 2005 13:33:32 +0000 (GMT) (envelope-from rcollins@hwi.buffalo.edu) Received: from mail.hwi.buffalo.edu (mail.hwi.buffalo.edu [128.205.165.215]) by mx1.FreeBSD.org (Postfix) with SMTP id E8FDD43D45 for ; Sat, 31 Dec 2005 13:33:30 +0000 (GMT) (envelope-from rcollins@hwi.buffalo.edu) Received: (qmail 57584 invoked by uid 90); 31 Dec 2005 08:33:30 -0500 Received: from 10.1.55.4 by cliff.hwi.buffalo.edu (envelope-from , uid 82) with qmail-scanner-1.25 (clamdscan: 0.87/1146. Clear:RC:1(10.1.55.4):. Processed in 0.100079 secs); 31 Dec 2005 13:33:30 -0000 X-Qmail-Scanner-Mail-From: rcollins@hwi.buffalo.edu via cliff.hwi.buffalo.edu X-Qmail-Scanner: 1.25 (Clear:RC:1(10.1.55.4):. Processed in 0.100079 secs) Received: from unknown (HELO Infernus) (10.1.55.4) by mail.hwi.buffalo.edu with SMTP; 31 Dec 2005 08:33:29 -0500 Message-ID: <007801c60e0e$c9baa060$6601a8c0@dhcp.hwi.buffalo.edu> From: "Robert Collins" To: References: <003d01c60dc8$2090f930$6601a8c0@dhcp.hwi.buffalo.edu> <6.2.3.4.2.20051230215226.03679d60@cobalt.antimatter.net> <006601c60dd4$5319b7a0$6601a8c0@dhcp.hwi.buffalo.edu> <6.2.3.4.2.20051230223713.05d19280@cobalt.antimatter.net> <006c01c60ddb$6167cf70$6601a8c0@dhcp.hwi.buffalo.edu> <6.2.3.4.2.20051231012747.06857a90@cobalt.antimatter.net> Date: Sat, 31 Dec 2005 08:33:29 -0500 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2180 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180 Subject: Re: forwarding http requests with ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Dec 2005 13:33:32 -0000 > > What's happening here is that since the dest address is not changed, the > packet never leaves the machine with the fwd rule. > > If you want to see it, make your fwd rule look like this: > > fwd 216.136.204.117 log tcp from any to me dst-port 80 > > then tail -f /var/log/security when you try to browse to "privatehost". I was thinking that maybe the packet was never leaving the machine for that very reason, but then I started to wonder what purpose does IPFIREWALL_FORWARD_EXTENDED serve. The manpage states: With the additional option options IPFIREWALL_FORWARD_EXTENDED all safeguards are removed and it also makes it possible to redirect packets destined to locally configured IP addresses. Redirect them where? Just for kicks I tried a little test to see if the packet was getting handled by the "destination address". I did a "sshd -p 80", and wasn't able to connect to sshd. On the other hand, I was able to connect by doing a "sshd -p 81". So they aren't being "redirected" to the destination address. They aren't being redirected to the source address and they aren't going to lo0. So where are they being "redirected" to? Which is why I figured I was doing something wrong. If it's true that the packets never leave the machine, then what is the purpose of IPFIREWALL_FORWARD_EXTENDED? What's an example of a use for it? ipfw fwd
log doesn't help with my understanding of what is going on. I also tried logging my match-all rule. Nothing there either. The packet comes in, matches the fwd rule and disappears. thanks -rcollins