From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 16:33:16 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB1151065675 for ; Mon, 27 Oct 2008 16:33:16 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outG.internet-mail-service.net (outg.internet-mail-service.net [216.240.47.230]) by mx1.freebsd.org (Postfix) with ESMTP id 6EEFC8FC34 for ; Mon, 27 Oct 2008 16:33:16 +0000 (UTC) (envelope-from julian@elischer.org) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 1E6172346; Mon, 27 Oct 2008 09:33:16 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id 728902D6293; Mon, 27 Oct 2008 09:33:15 -0700 (PDT) Message-ID: <4905ED4B.7040007@elischer.org> Date: Mon, 27 Oct 2008 09:33:15 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: "Leander S." References: <4905C902.9040306@googlemail.com> In-Reply-To: <4905C902.9040306@googlemail.com> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-ipfw@freebsd.org Subject: Re: Portforwarding - still the same issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 16:33:16 -0000 Leander S. wrote: > Roman Kurakin schrieb: >> John Hay wrote: >>> On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote: >>> >>>> Hi, >>>> >>>> I'm trying to set up something like a HotSpot. Goal is it to force >>>> unregistred users to get redirected to the Captive Portalsite where >>>> they'll be able to agree my licence therms and get some information >>>> ... etc. ... >>>> >>>> So fact is I need an IPFW rule which forwards Port 80,443,8080 >>>> Traffic to another Port i.e. 8080 --> where my Apache will already >>>> wait for serving the Captive Portalsite back to the request. >>>> >>>> So I did read the man and saw something like the fwd rule and the >>>> Kernel Option for it - so I added the option - rcompiled the Kernel >>>> and gave my Firewall the following fwd rule in an extra script: >>>> >>>> ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any >>>> 80,443,8080 in via ${LAN_if} >>>> >> Try to make the rule stateful, eq add 'setup keep-state'. Also add >> some logging in the rule >> and add the last one additional deny with the logging. > Oh-oh ... Can't log right now - have to recompile the kernel before ... > sry. >>> You have to catch it where it is going out and not in. Fwd only works >>> when packets are out bound. I think you can forward an incoming packet out again.. I am sure I have done that. > I don't think so ?! And what sence would it make? Because think twice > ... I want to fwd incoming HTTP:80 packages to make them look like > HTTP:8080 packages ... the outgoing ones are uninteresting because it's > apache's job to send back Websitedata on port 8080 where it's listening > anyway. >>> >> But how this works for me? >> >> ipfw fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24 >> to 172.22.4.254 dst-port 3128 setup in via vr0 keep-state >> >> rik >>> John >>> > I tried: > > [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me dst-port 80 setup > in via ath0 keep-state > > as well as this one too: > > [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me src-port 80 > dst-port 8080 setup in via ath0 keep-state > > ^^ > But sadly without success - "root$ ipfw show" doesn't even show me at > least one package going through .... not even blocked ones ... 0 0 ;-) > > what version of FreeBSD.. forwarding was crippled in an early 6.x revision I think. you needed to ad another option as well. > > > But here is my szenario again: > > 127.0.0.1 is my FreeBSDMashine wehre IPFW acts and Apache22 Listens on > port 8080. > > 192.1.1.0/24 is the ath0 Interface where Wirlessclients will try to > klick http://google:80 BUT accidently should be fwded & run into my > PortalSite:8080 > 192.1.1.1 is the Interfaces IP Adress. 192.1.1.1:8080 would you also > bring as well as 127.0.0.1:8080 to the portalsite. > > > Regards, > > Leander > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org"