From owner-freebsd-net@FreeBSD.ORG Fri Sep 19 13:38:07 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C91FC106566C for ; Fri, 19 Sep 2008 13:38:07 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.171]) by mx1.freebsd.org (Postfix) with ESMTP id 24B618FC24 for ; Fri, 19 Sep 2008 13:38:07 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-021-033.pools.arcor-ip.net [88.66.21.33]) by mrelayeu.kundenserver.de (node=mrelayeu3) with ESMTP (Nemesis) id 0MKxQS-1KggBR0H8O-0000aq; Fri, 19 Sep 2008 15:38:05 +0200 Received: (qmail 8012 invoked from network); 19 Sep 2008 13:38:03 -0000 Received: from fbsd8.laiers.local (192.168.4.151) by laiers.local with SMTP; 19 Sep 2008 13:38:03 -0000 From: Max Laier Organization: FreeBSD To: freebsd-net@freebsd.org Date: Fri, 19 Sep 2008 15:38:02 +0200 User-Agent: KMail/1.10.1 (FreeBSD/8.0-CURRENT; KDE/4.1.1; i386; ; ) References: <20080919075633.GA4333@garage.freebsd.pl> <20080919121602.GC4333@garage.freebsd.pl> In-Reply-To: <20080919121602.GC4333@garage.freebsd.pl> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-15" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200809191538.02698.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1+CGISTbWtpzn2ogeollivS3HoWzfMy9NpTN9+ XCqR3ArKEVZdMjgo3D3670DcgnrzZUoS70ucAK+gnqvRuqAJNC CKsQlRo0Zlf0SMDFwKTqw== Cc: Pawel Jakub Dawidek Subject: Re: Firewall redirect doesn't work any more... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2008 13:38:07 -0000 On Friday 19 September 2008 14:16:02 Pawel Jakub Dawidek wrote: > On Fri, Sep 19, 2008 at 09:56:33AM +0200, Pawel Jakub Dawidek wrote: > > ...or am I missing something? > > > > I've a box running: > > > > FreeBSD whiplash.wheel.pl 7.0-STABLE FreeBSD 7.0-STABLE #0: Wed Jul 23 > > 11:41:31 CEST 2008 root@puppet.wheel.pl:/usr/obj/usr/src/sys/WHIPLASH > > i386 > > > > I'm also running PF in there with the following rule: > > > > rdr on fxp0 proto tcp from 10.0.1.9 to 10.0.0.2 port 88 -> 10.0.5.123 > > port 88 > > > > When I connect from 10.0.1.9 to 10.0.0.2:88 I can see redirected packet > > leaving the box: > > > > IP 10.0.1.9.43210 > 10.0.0.2.88: S [...] > > IP 10.0.1.9.43210 > 10.0.5.123.88: S [...] > > > > Ok. Now I've a box running: > > > > FreeBSD bridge.wheel.pl 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #1: Thu Sep > > 11 13:59:06 CEST 2008 root@bridge.wheel.pl:/usr/obj/usr/src/sys/BRIDGE > > i386 > > > > And the following PF rule: > > > > rdr on fxp0 proto tcp from 10.0.0.2 to 10.0.5.123 port 88 -> 10.0.1.9 > > port 88 > > > > When I connect from 10.0.0.2 to 10.0.5.123:88 I no longer see redirected > > packet leaving the box: > > > > IP 10.0.0.2.60806 > 10.0.5.123.88: S [...] > > > > I tried to redirect packet on the second box with IPFW, but also failed > > (yes IPFIREWALL_FORWARD was compiled in). > > > > Does something got broken or am I missing some configuration hint? > > I downgraded to 7.0-RELEASE and the problem was still there, but I found > a work-around - one needs to set net.inet.ip.forwarding to 1, even > though packet is not forwarded between interfaces (everything is related > to fxp0 only). I might be wrong, but I don't think we ever supported rdr without net.inet.ip.forwarding enabled. Maybe to a different local address, but even then you'd need net.inet.ip.check_interface=0. Looking at the code, I don't see where IPFW forwarding fails (as it has its own ip_forward() call), though. -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News