Date: Wed, 28 Nov 2007 17:46:15 +0800 From: "Sepherosa Ziehau" <sepherosa@gmail.com> To: "Sam Wun" <swun2010@gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw forwarding doesn't work - for more than 2 months. --- please help Message-ID: <ea7b9c170711280146x5cbfb1aclab70ec3308364849@mail.gmail.com> In-Reply-To: <736c47cb0711280051j63596f22tffce5e734d9712e@mail.gmail.com> References: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com> <ea7b9c170711271940m70bb41c2se39a15d3519b98f8@mail.gmail.com> <736c47cb0711272018k1e40b1b7v7edfa1d2b5d50891@mail.gmail.com> <ea7b9c170711272212x3c0faf9eg6b314669431a821b@mail.gmail.com> <736c47cb0711280021g2ad48ec2g7bdc0246f027c3b6@mail.gmail.com> <ea7b9c170711280045v76974a44u8a41733df91355d3@mail.gmail.com> <736c47cb0711280051j63596f22tffce5e734d9712e@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Nov 28, 2007 4:51 PM, Sam Wun <swun2010@gmail.com> wrote: > On Nov 28, 2007 7:45 PM, Sepherosa Ziehau <sepherosa@gmail.com> wrote: > > On Nov 28, 2007 4:21 PM, Sam Wun <swun2010@gmail.com> wrote: > > > On Nov 28, 2007 5:12 PM, Sepherosa Ziehau <sepherosa@gmail.com> wrote: > > > > On Nov 28, 2007 12:18 PM, Sam Wun <swun2010@gmail.com> wrote: > > > > > I have read the manpages and freebsd handbook more than 20 tiems. > > > > > > > > Oh? Then I think you must have read this in ipfw manpage: > > > > ... > > > > The fwd action does not change the contents of the packet at all. In > > > > particular, the destination address remains unmodified, so packets > > > > forwarded to another system will usually be rejected by that system > > > > unless there is a matching rule on that system to capture them. > > > > ... > > > > > > > OK, I mis-read that. is that mean I need to implement a rule in the > > > internal web server? > > > > IMHO, what you need is a divert rule and natd on 6, or try 7's ipfw > > with the in-kernel NAT. > > > Can you suggest where I can add a new divert rule in my current ipfw rule set? > belmore# ipfw list > 00001 allow udp from any to any dst-port 500 > 00001 allow esp from any to any > 00001 allow esp from any to any > 00001 allow ipencap from any to any > 00001 allow ipencap from any to any Following three rules are not necessary. Depending on your need, you may also want to reconstruct the rules after the divert one. > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in > 00040 allow tcp from any to 220.233.24.213 dst-port 80 in > 00041 allow tcp from 192.168.1.222 to any out > 00050 divert 8668 ip4 from any to any via tun0 > 00100 allow ip from any to any via lo0 > 00150 allow ip from any to any via rl1 > 00200 deny ip from any to 127.0.0.0/8 > 00250 allow ip from any to any via lo0 > 00300 deny ip from 127.0.0.0/8 to any > 00350 allow ip from any to any via gif* keep-state > 00450 allow udp from any to any dst-port 53 in keep-state > 00550 allow tcp from any to any dst-port 22 in keep-state > 00650 allow udp from any to any dst-port 1080-60000 in setup keep-state > 00750 allow tcp from any to any dst-port 1080-60000 in keep-state > 00850 allow tcp from any to 220.233.24.213 dst-port 80 in via tun0 > setup keep-state > 00950 allow tcp from 220.233.24.213 to any out via tun0 setup keep-state > 01050 allow tcp from any to any out keep-state > 65000 allow ip from any to any > 65535 allow ip from any to any > > Here is the current rc.conf: > natd_program="/sbin/natd" > natd_enable="yes" > natd_interface="tun0" # interface name of public Internet NIC > natd_flags="-dynamic -m" # -m = preserve port numbers if possible > #natd_flags="-f /etc/natd.conf" > > and the content of natd.conf: > belmore# cat natd.conf > dynamic yes > redirect_port tcp 192.168.1.222:80 80 > > Thanks > > S > > Best Regards, > > sephe > > > > > > > I t hink I just need to install rinet in this freebsd router for the > > > port forwarding. > > > > > > Thanks > > > > > > > > > > Best Regards, > > > > sephe > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Nov 28, 2007 2:40 PM, Sepherosa Ziehau <sepherosa@gmail.com> wrote: > > > > > > On Nov 28, 2007 10:03 AM, Sam Wun <swun2010@gmail.com> wrote: > > > > > > > Hi, > > > > > > > > > > > > > > I setup the following ipfw rules in freebsd 6.2: > > > > > > > belmore# ipfw list > > > > > > > 00001 allow udp from any to any dst-port 500 > > > > > > > 00001 allow esp from any to any > > > > > > > 00001 allow esp from any to any > > > > > > > 00001 allow ipencap from any to any > > > > > > > 00001 allow ipencap from any to any > > > > > > > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in > > > > > > > > > > > > I don't think this does the rdr you intended. Please take a look at > > > > > > ipfw manpage. > > > > > > > > > > > > Best Regards, > > > > > > sephe > > > > > > > > > > > > > I don't know what is wrong that the freebsd server (6.2) can't > > > > > > > redirect/forward http request to an internal server (web server - > > > > > > > 192.168.1.222). > > > > > > > > > > > > > > Can anyone please give suggestion to modify this rules? > > > > > > > Or can you please post your workable ipfw rules that achieved the same goal? > > > > > > > > > > > > > > Thanks > > > > > > > S > > > > > > > _______________________________________________ > > > > > > > freebsd-ipfw@freebsd.org mailing list > > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Live Free or Die > > > > > > _______________________________________________ > > > > > > freebsd-ipfw@freebsd.org mailing list > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Live Free or Die > > > > > > > > > > > > > > > -- > > Live Free or Die > > > -- Live Free or Die
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ea7b9c170711280146x5cbfb1aclab70ec3308364849>