Date: Thu, 10 Feb 2005 11:56:34 +0200 From: "Chris Knipe" <savage@savage.za.org> To: "Kelly Yancey" <kbyanc@posi.net> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw fwd Message-ID: <004e01c50f56$ce47c020$0a01a8c0@ops.cenergynetworks.com> References: <001f01c50ec9$8801c580$0a01a8c0@ops.cenergynetworks.com> <20050209172905.W66973@gateway.posi.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>> FreeBSD 4.11-STABLE, running ipfw2. >> >> root@wsmd-core02:/home/cknipe# ifconfig vlan1 >> vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1496 >> inet 198.19.0.33 netmask 0xffffffe0 broadcast 198.19.0.63 >> ether 00:08:a1:7a:b1:44 >> media: Ethernet autoselect (100baseTX) >> status: active >> vlan: 200 parent interface: rl0 >> >> ipfw2: >> 00400 0 0 allow tcp from 198.19.0.36 to any dst-port 80 >> 00401 12 652 allow tcp from 198.19.0.35 to any dst-port 25 >> 00402 13 668 fwd 198.19.0.36,3128 tcp from 198.19.0.32/27 to >> any >> dst-port 80 >> 00403 2 120 fwd 198.19.0.35,25 tcp from 198.19.0.32/27 to any >> dst-port 25 >> >> >> However, packets that are forwarded, never connects to the destination >> where >> it is forwarded to. And yes, I did check the obvious, everything is up >> and >> running.... Is there some sysctl magic or something required to make >> this >> work? I can fwd without a problem to the SAME BOX, but I cannot seem to >> get >> it to work to fwd to remote machines. In case someone is wondering, this >> is >> for transparent proxy / smtp servers. >> >> -- >> Chris. >> > > I don't suppose you're getting bitten by: > > "The fwd action does not change the contents of the packet at > all. In particular, the destination address remains > unmodified, so packets forwarded to another system will usually > be rejected by that system unless there is a matching rule on > that system to capture them." > > The ipfw(8) man page is a little vague with the phrasing "matching > rule on that system to capture them". Normally systems don't process > packets locally that are not destined for it. You can use tcpdump on > the remote box to verify for yourself that the fwd is working correctly > and that the remote box is receiving the packets. The remote box just > doesn't know what to do with the packets it is receiving. I never even saw this before in the man page... I'll have to look a bit closer. I did check prior to posting (sorry, I should have mentioned), no packets are picked up on the host that I forward to... Is there any other ways to accomplish this?? natd???? I want to try and stay away from natd, because if I do this with NATD, there's going to be allot of other issues I need fix as well..... -- Chris
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004e01c50f56$ce47c020$0a01a8c0>