From owner-freebsd-questions Sat Jun 19 10:35:40 1999 Delivered-To: freebsd-questions@freebsd.org Received: from sol. (adsl-209-233-30-172.dsl.snfc21.pacbell.net [209.233.30.172]) by hub.freebsd.org (Postfix) with SMTP id B776214E38 for ; Sat, 19 Jun 1999 10:35:36 -0700 (PDT) (envelope-from myers@iname.com) Received: from iname.com by sol. (SMI-8.6/SMI-SVR4) id KAA05356; Sat, 19 Jun 1999 10:35:17 -0700 From: myers@iname.com Message-Id: <199906191735.KAA05356@sol.> Date: Sat, 19 Jun 1999 10:35:14 -0700 (PDT) Subject: 'ipfw fwd' question: Shouldn't this work? To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/plain; CHARSET=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Folks: I'm looking at the 'ipfw forward' mechanism, hoping to use it to automatically route packets on my firewall's port 80 to an internal web server's port 80. From what I see in mailing list archives, many people have got exactly this situation working correctly. I can't seem to figure out what I've done wrong. The firewall is configured with ed0 as the external interface and de0 as the internal interface to the 10.0.0.x network. natd is running on ed0. Web browsing, email, etc. all work fine from the internal network. The 3.2-STABLE kernel has the appropriate IPFIREWALL DIVERT, FORWARD, etc. directives in it. When I send a request to port 80, the firewall's kernel says: gateway /kernel: ipfw: 1200 Forward to 10.0.0.1:80 TCP 10.0.0.1:35188 aaa.bbb.ccc.ddd:80 in via de0 Which is correct, right? But 'snoop' on the (Solaris) web server shows no packets arriving; Apache logs show nothing as well. Can anyone point me to the (hopefully obvious) blunder? I thought perhaps some other firewall rule was killing the forwarded packets, but my firewall configuration logs all denied packets -- and no such denial messages ever appear. (By the way, it appears there is an entirely separate mechanism that offers the same functionality: the natd -redirect_port feature. This doesn't work for me either.) Firewall rules attached below. Thanks. -David. $fwcmd add deny log all from ${inet}:${imask} to any in via ${oif} $fwcmd add deny log all from ${onet}:${omask} to any in via ${iif} # Stop RFC1918 nets on the outside interface $fwcmd add deny log all from 192.168.0.0:255.255.0.0 to any via ${oif} $fwcmd add deny log all from any to 192.168.0.0:255.255.0.0 via ${oif} $fwcmd add deny log all from 172.16.0.0:255.240.0.0 to any via ${oif} $fwcmd add deny log all from any to 172.16.0.0:255.240.0.0 via ${oif} $fwcmd add deny log all from 10.0.0.0:255.0.0.0 to any via ${oif} $fwcmd add pass tcp from any to ${oip} 25 setup $fwcmd add pass tcp from any to ${oip} 53 setup $fwcmd add fwd 10.0.0.1,80 log tcp from any to ${oip} 80 $fwcmd add pass tcp from any to ${oip} 143 setup # Reject&Log all setup of incoming connections from the outside $fwcmd add deny log tcp from any to any in via ${oif} setup $fwcmd add pass ip from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message