Date: Wed, 9 Feb 2005 17:38:35 -0800 (PST) From: Kelly Yancey <kbyanc@posi.net> To: Chris Knipe <savage@savage.za.org> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw fwd Message-ID: <20050209172905.W66973@gateway.posi.net> In-Reply-To: <001f01c50ec9$8801c580$0a01a8c0@ops.cenergynetworks.com>
index | next in thread | previous in thread | raw e-mail
On Wed, 9 Feb 2005, Chris Knipe wrote:
> Lo all,
>
> FreeBSD 4.11-STABLE, running ipfw2.
>
> root@wsmd-core02:/home/cknipe# ifconfig vlan1
> vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1496
> inet 198.19.0.33 netmask 0xffffffe0 broadcast 198.19.0.63
> ether 00:08:a1:7a:b1:44
> media: Ethernet autoselect (100baseTX)
> status: active
> vlan: 200 parent interface: rl0
>
> ipfw2:
> 00400 0 0 allow tcp from 198.19.0.36 to any dst-port 80
> 00401 12 652 allow tcp from 198.19.0.35 to any dst-port 25
> 00402 13 668 fwd 198.19.0.36,3128 tcp from 198.19.0.32/27 to any
> dst-port 80
> 00403 2 120 fwd 198.19.0.35,25 tcp from 198.19.0.32/27 to any
> dst-port 25
>
>
> However, packets that are forwarded, never connects to the destination where
> it is forwarded to. And yes, I did check the obvious, everything is up and
> running.... Is there some sysctl magic or something required to make this
> work? I can fwd without a problem to the SAME BOX, but I cannot seem to get
> it to work to fwd to remote machines. In case someone is wondering, this is
> for transparent proxy / smtp servers.
>
> --
> Chris.
>
I don't suppose you're getting bitten by:
"The fwd action does not change the contents of the packet at
all. In particular, the destination address remains
unmodified, so packets forwarded to another system will usually
be rejected by that system unless there is a matching rule on
that system to capture them."
The ipfw(8) man page is a little vague with the phrasing "matching
rule on that system to capture them". Normally systems don't process
packets locally that are not destined for it. You can use tcpdump on
the remote box to verify for yourself that the fwd is working correctly
and that the remote box is receiving the packets. The remote box just
doesn't know what to do with the packets it is receiving.
Kelly
--
Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com
"And say, finally, whether peace is best preserved by giving energy to the
government or information to the people. This last is the most certain and
the most legitimate engine of government."
-- Thomas Jefferson to James Madison, 1787.
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050209172905.W66973>