Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 12 Sep 1999 23:31:15 -0400 (EDT)
From:      "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To:        schluntz@workofstone.com (Sean J. Schluntz)
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: ipfw and divert question.
Message-ID:  <199909130331.XAA15945@cc942873-a.ewndsr1.nj.home.com>
In-Reply-To: <199909130100.SAA04953@c956029-a.haywd2.sfba.home.com> from "Sean J. Schluntz" at "Sep 12, 1999 05:25:12 pm"
next in thread | previous in thread | raw e-mail | index | archive | help 
Sean J. Schluntz wrote,
> 
> Hello, I'm having problems getting divert to work correctly with ipfw under FreeBSD 3.2.  I'm trying to get divert working so I can have the web server running as web and bound to 8000 insted of having it become root at all.
> 
> I've got the system up and running just fine, got ipfw currently running in OPEN so I can test divert with no interfienence.  I have:
> 
> options         IPFIREWALL
> options         IPDIVERT
> options         IPFIREWALL_VERBOSE
> 
> compiled in to the kernel.  But I seem to be missing something in my understanding of ipfw.
> 
> These are the two versions I have been playing with:
> 
> ipfw add divert all from port 80 to port 8000
> 
> gets me "ipfw: error: illegal divert port"
> 
> and:
> 
> ipfw add divert 80 tcp from any to any 8000
> 
> goes in but does not appear to do anything.
> 
> Here is an output of ipfw show:
> 
> 00100     0       0 allow ip from any to any via lo0
> 00200     0       0 deny ip from any to 127.0.0.0/8
> 65000 11603 6175933 allow ip from any to any
> 65100     0       0 divert 80 tcp from any to any 8000
> 65535     0       0 deny ip from any to any
> 
> 
> Thanks for any help.

Two things. 

First, and foremost, rule every IP packed that comes in matches rule
65000 and is therefore passed along before they ever get to the divert
in rule 65000. 

Second, if you are just forwarding everything from one port to another
on the local machine, why bother with divert (which I really wonder if
you are using properly) when I think something like this should work,

# ipfw add 300 fwd 127.0.0.1,8000 ip from any to localhost 80

-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199909130331.XAA15945>