Date: Fri, 02 Feb 2001 06:48:03 -0800 From: Julian Elischer <julian@elischer.org> To: Nick Rogness <nick@rapidnet.com> Cc: freebsd-net@freebsd.org Subject: Re: ipfw fwd Message-ID: <3A7AC8A3.3DC68FCD@elischer.org> References: <Pine.BSF.4.21.0101270147530.6443-100000@rapidnet.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nick Rogness wrote:
>
> Couple of comments on ipfw fwd.
>
> After playing around with the forward feature of ipfw, I ran into a couple
> of interesting things. First let me give you my test lab environment
> diagram:
>
> Internet
> |
> xl0
> |
> 192.168.10.1 ----ed1---FreeBSD
> |
> fxp0
> |
> 192.168.20.0/24
>
> After adding the command:
>
> ipfw add 100 fwd 192.168.10.1 tcp from any to any 80 in via fxp0
>
> I see no packet arrive at host 192.168.10.1. Do forwarded packets
> re-enter the firewall for a given outgoing interface? In this case
> ed1 ? Or are they somehow skipped and just routed out the interface after
> a match is made?
The man page says:
fwd ipaddr[,port]
Change the next-hop on matching packets to ipaddr, which
can be an IP address in dotted quad or a host name. If
ipaddr is not a directly-reachable address, the route as
found in the local routing table for that IP is used in-
stead. If ipaddr is a local address, then on a packet
entering the system from a remote host it will be divert-
ed to port on the local machine, keeping the local ad-
dress of the socket set to the original IP address the
packet was destined for. This is intended for use with
transparent proxy servers. If the IP is not a local ad-
dress then the port number (if specified) is ignored and
the rule only applies to packets leaving the system.
This will also map addresses to local ports when packets
are generated locally. The search terminates if this
rule matches. If the port number is not given then the
port number in the packet is used, so that a packet for
an external machine port Y would be forwarded to local
port Y. The kernel must have been compiled with the
IPFIREWALL_FORWARD option.
>
> After changing the above ipfw command to 'out via xl0' I start seeing
> incoming packets on the 192.168.10.1 host. Do IPFW Forward rules only
> apply to outgoing style rules?
yes, read the paragraph above:
If the IP is not a local ad-
dress then the port number (if specified) is ignored and
the rule only applies to packets leaving the system.
and
If ipaddr is a local address, then on a packet
entering the system from a remote host it will be divert-
ed to port on the local machine, keeping the local ad-
dress of the socket set to the original IP address the
packet was destined for.
In other words, you want a rule with
'fwd 192.168.10.1 tcp from any to any 80 out rcv fxp0 xmit xl0'
on the gateway
so that it only matches http requests from clients on the local net
but NOT requests from your proxy.
then on the proxy you must have the rule:
'fwd 127.0.0.1:3187 tcp from 192.168.20.0/24 80 in rcv [interface]'
so that the packet are 'captured' on that machine instead of being dumped.
>
> Nick Rogness
> - Keep on routing in a Free World...
> "FreeBSD: The Power to Serve "
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-net" in the body of the message
--
__--_|\ Julian Elischer
/ \ julian@elischer.org
( OZ ) World tour 2000-2001
---> X_.---._/
v
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A7AC8A3.3DC68FCD>