Date: Mon, 21 Feb 2005 16:36:21 +0200 From: Aragon Gouveia <aragon@phat.za.net> To: questions@freebsd.org Subject: ipfw fwd problem - FreeBSD 5.3 Message-ID: <20050221143621.GA75237@phat.za.net>
next in thread | raw e-mail | index | archive | help
Hi, I'm running a 5.3 gateway/proxy. To it is connected an ADSL modem with the 5.3 box performing the PPPoE, as well as a cisco router on another ethernet interface. My default route is out the ADSL line (tun0), but I need to be able to forward packets matched on the basis of destination port to the cisco router. I've been doing this for over a year using ipfw fwd. However, I recently upgraded from 4.7 to 5.3 and since then my ruleset no longer works. I've torn the ruleset down to just basic divert and fwd rules and just can't seem to get it behaving as it did before. My internal LAN interface is rl0. Interface to cisco router [9.9.9.9] is vx0 [8.8.8.8]. ADSL is connected to rl0, but after PPPoE encap it's tun0. My rules: 150 divert 8668 tcp from 192.168.0.2 to any dst-port 22 out recv rl0 160 count log tcp from any to 1.2.3.4 dst-port 22 200 fwd log 9.9.9.9 tcp from 8.8.8.8 to any dst-port 22 210 count log tcp from any to 1.2.3.4 dst-port 22 When I ssh from 192.168.0.2 to 1.2.3.4 this is what is logged: Feb 21 16:39:57 <security.info> draper kernel: ipfw: 160 Count TCP 192.168.0.2:1604 1.2.3.4:22 in via rl0 Feb 21 16:39:57 <security.info> draper kernel: ipfw: 210 Count TCP 192.168.0.2:1604 1.2.3.4:22 in via rl0 Feb 21 16:39:57 <security.info> draper kernel: ipfw: 160 Count TCP 8.8.8.8:1604 1.2.3.4:22 out via tun0 Feb 21 16:39:57 <security.info> draper kernel: ipfw: 200 Forward to 9.9.9.9 TCP 8.8.8.8:1604 1.2.3.4:22 out via tun0 Feb 21 16:39:57 <security.info> draper kernel: ipfw: 160 Count TCP 8.8.8.8:1604 1.2.3.4:22 out via tun0 Feb 21 16:39:57 <security.info> draper kernel: ipfw: 200 Forward to 9.9.9.9 TCP 8.8.8.8:1604 1.2.3.4:22 out via tun0 I am running PPP with -nat as well as a natd process. Any packets that are routed out the ADSL will have their source address rewritten by PPP. The seperate natd process is aliasing for vx0's address of 8.8.8.8. >From what I can see above, my packets are being rewritten by rule 150 and they are matching the fwd rule at 200, but they simply aren't being forwarded as specified in the rule. Instead they're going via the default route. The end result is that the source address is rewritten again by PPP and, of course, the packet goes out the wrong interface. Any know what's up with this? Thanks, Aragon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050221143621.GA75237>