From owner-freebsd-ipfw@FreeBSD.ORG Fri Feb 11 04:34:44 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7554416A4CE for ; Fri, 11 Feb 2005 04:34:44 +0000 (GMT) Received: from hetzner.co.za (lfw.hetzner.co.za [196.7.18.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72EF143D31 for ; Fri, 11 Feb 2005 04:34:43 +0000 (GMT) (envelope-from ianf@hetzner.co.za) Received: from localhost ([127.0.0.1]) by hetzner.co.za with esmtp (Exim 3.36 #1) id 1CzSVc-000NNV-00; Fri, 11 Feb 2005 06:34:24 +0200 To: Chris Knipe From: Ian FREISLICH In-Reply-To: Message from "Chris Knipe" <004e01c50f56$ce47c020$0a01a8c0@ops.cenergynetworks.com> Date: Fri, 11 Feb 2005 06:34:24 +0200 Sender: ianf@hetzner.co.za Message-Id: cc: freebsd-ipfw@freebsd.org cc: Kelly Yancey Subject: Re: ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Feb 2005 04:34:44 -0000 "Chris Knipe" wrote: > >> 00400 0 0 allow tcp from 198.19.0.36 to any dst-port 80 > >> 00401 12 652 allow tcp from 198.19.0.35 to any dst-port 25 > >> 00402 13 668 fwd 198.19.0.36,3128 tcp from 198.19.0.32/27 to > >> any > >> dst-port 80 > >> 00403 2 120 fwd 198.19.0.35,25 tcp from 198.19.0.32/27 to any > >> dst-port 25 > >> > >> > >> However, packets that are forwarded, never connects to the > >> destination where it is forwarded to. And yes, I did check the > >> obvious, everything is up and running.... Is there some sysctl > >> magic or something required to make this work? I can fwd without > >> a problem to the SAME BOX, but I cannot seem to get it to work to > >> fwd to remote machines. In case someone is wondering, this is for > >> transparent proxy / smtp servers. > > > > I don't suppose you're getting bitten by: > > > > "The fwd action does not change the contents of the packet at > > all. In particular, the destination address remains unmodified, so > > packets forwarded to another system will usually be rejected by that > > system unless there is a matching rule on that system to capture > > them." > > > > The ipfw(8) man page is a little vague with the phrasing "matching > > rule on that system to capture them". Normally systems don't > > process packets locally that are not destined for it. You can use > > tcpdump on the remote box to verify for yourself that the fwd is > > working correctly and that the remote box is receiving the packets. > > The remote box just doesn't know what to do with the packets it is > > receiving. > > I never even saw this before in the man page... I'll have to look > a bit closer. I did check prior to posting (sorry, I should have > mentioned), no packets are picked up on the host that I forward to... I think that you might need to set net.inet.ip.forwarding=1 on the server that you're forwarding the packets to. Unless this is turned on, the server won't act as a router and unless it's a router it won't accept packets that do not are not for it to forward them on. Ian -- Ian Freislich