From owner-freebsd-net@FreeBSD.ORG Sun Sep 21 21:12:30 2008 Return-Path: Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B2D591065672; Sun, 21 Sep 2008 21:12:30 +0000 (UTC) (envelope-from rik@inse.ru) Received: from mail.inse.ru (mail.inse.ru [144.206.128.1]) by mx1.freebsd.org (Postfix) with ESMTP id 6EE688FC19; Sun, 21 Sep 2008 21:12:30 +0000 (UTC) (envelope-from rik@inse.ru) Received: from www.inse.ru (www.inse.ru [144.206.128.1]) by mail.inse.ru (Postfix) with ESMTPSA id 5657A33C51; Mon, 22 Sep 2008 01:12:29 +0400 (MSD) Message-ID: <48D6B6D3.7000306@localhost.inse.ru> Date: Mon, 22 Sep 2008 01:04:19 +0400 From: Roman Kurakin User-Agent: Thunderbird 2.0.0.16 (X11/20080723) MIME-Version: 1.0 To: Pawel Jakub Dawidek References: <20080919075633.GA4333@garage.freebsd.pl> In-Reply-To: <20080919075633.GA4333@garage.freebsd.pl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@FreeBSD.org Subject: Re: Firewall redirect doesn't work any more... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Sep 2008 21:12:30 -0000 Pawel Jakub Dawidek wrote: > ...or am I missing something? > > I've a box running: > > FreeBSD whiplash.wheel.pl 7.0-STABLE FreeBSD 7.0-STABLE #0: Wed Jul 23 11:41:31 CEST 2008 root@puppet.wheel.pl:/usr/obj/usr/src/sys/WHIPLASH i386 > > I'm also running PF in there with the following rule: > > rdr on fxp0 proto tcp from 10.0.1.9 to 10.0.0.2 port 88 -> 10.0.5.123 port 88 > > When I connect from 10.0.1.9 to 10.0.0.2:88 I can see redirected packet > leaving the box: > > IP 10.0.1.9.43210 > 10.0.0.2.88: S [...] > IP 10.0.1.9.43210 > 10.0.5.123.88: S [...] > > Ok. Now I've a box running: > > FreeBSD bridge.wheel.pl 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #1: Thu Sep 11 13:59:06 CEST 2008 root@bridge.wheel.pl:/usr/obj/usr/src/sys/BRIDGE i386 > > And the following PF rule: > > rdr on fxp0 proto tcp from 10.0.0.2 to 10.0.5.123 port 88 -> 10.0.1.9 port 88 > > When I connect from 10.0.0.2 to 10.0.5.123:88 I no longer see redirected > packet leaving the box: > > IP 10.0.0.2.60806 > 10.0.5.123.88: S [...] > > I tried to redirect packet on the second box with IPFW, but also failed > (yes IPFIREWALL_FORWARD was compiled in). > > Does something got broken or am I missing some configuration hint? > Could it be that the box you are trying to connect from is the 10.0.0.2? If this is the case, then the problem is that the rule rdr is works only for packet which hits the interface from outside, eq interface should be incoming for packets not outgoing on which the rule is set . rik