Date: Sun, 12 Dec 1999 22:48:28 +0700 From: Alexei Sokolski <aleks@post.krascience.rssi.ru> To: Roelof Osinga <roelof@nisser.com> Cc: freebsd-stable@freebsd.org Subject: Re[2]: ifpw forwarding problem Message-ID: <2950.991212@cc.krascience.rssi.ru> In-Reply-To: <384FFEC6.276F4A1E@nisser.com> References: <384FFEC6.276F4A1E@nisser.com>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --]
Hello,
10 Dec 1999 , Roelof Osinga wrote:
> OK, here it comes. A fresh set of data. This is how it is *now*. Thus
> with FORWARD disabled. Some testscripts are at the end. Maybe you
> can spot the error, I sure can't.
I can`n find error in YOUR scripts.
But I find something wrong at work of ipfw... (or not ?)
I have FreeBSD gateway with natd and two interface:
First is public de0 - 193.x.x.121.
Second is local rl0 - 172.16.0.14.
One web-server at 172.16.0.101:80 and http-client (172.16.0.2). All of
them has connection to 10Base-T hub.
I run network analyser at client machine with capture filter:
"catch from any_ether to any_ether"
I am try make redirection from my gateway to my local web-server from
Internet and local network.
Don`t asked me why I did it :^(
I have several small experiment:
1) for redirection from Internet I add rule at natd configuration:
-redirect_port tcp 193.x.x.121:80 172.16.0.101:80
And this work.
2) I make forward as Roelof Osinga:
ipfw add 1 fwd 172.16.0.101,80 tcp from any to 172.16.0.14 8080 in via rl0
At this case analyser show series of packets :
a) from client to dateway for open tcp connection in port 8080
b) and my gateway write in log_file:
Connection attempt to TCP 172.16.0.14:8080 from 172.16.0.2:some_ports
3) I make forward:
ipfw add 1 fwd 172.16.0.101,80 tcp from any to 172.16.0.14 8080
At this case analyser show packets
a) from client to gateway - open connection in port 8080
b) from gateway to web-server for open tcp connection to port 8080 (!!!).
No service at web-server on port 8080 therefore client has timeout
:^((
4) In man ipfw(8) write
...
fwd ipaddr [,port]
...
This is intended for use with transparent proxy
servers.
...
And I decide tried make forward like this (from 80 to 80 port):
ipfw add 1 fwd 172.16.0.101,80 tcp from any to 172.16.0.14 80 in via rl0
At this case analyser show series of packets :
a) from client to dateway for open tcp connection in port 80
b) and my gateway write in log_file:
Connection attempt to TCP 172.16.0.14:80 from 172.16.0.2:some_ports
5) Then I make forward (may be it work):
ipfw add 1 fwd 172.16.0.101,80 tcp from any to 172.16.0.14 80
At this case analyser show series of packets
a) from client to gateway - open connection in port 80
b) from gateway to web-server for open tcp connection to port 80.
c) from gateway to client - icmp: Redirect, Use Gateway 172.16.00.14,
to reach 172.16.00.14 (!!!)
It is repeat many a time without success therefore client has timeout :^((
So, I have a problem (I or all?):
Can I make redirect from IP1:port1 to IP2:port2 with "ipfw..fwd..."?
Or I must use one more natd for that?
All information about machine in files:
$uname -a uname-a
$ifconfig -a ifconfig-a
$ipfw list ipfw_list
file KERNEL ICMSBRAS
P.S. One more questions
In FreeBSD 2.2.6 with natd at port 8668 in my machine I had:
$netstat -an
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 *.xxx *.* LISTEN
divert 0 0 *.8668 *.* LISTEN
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
Now when I run natd I have string with icmp:
$netstat -an
Proto Recv-Q Send-Q Local Address Foreign Address (state)
icmp 0 0 *.* *.*
tcp 0 0 *.XXX *.* LISTEN
Active UNIX domain sockets
Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr
Can you say why???
-----------
Thank you for your help, Sokolski Alexei
engineer of technical laboratory
ICM SB RAS
[-- Attachment #2 --]
FreeBSD ak11.krascience.rssi.ru 3.3-RELEASE FreeBSD 3.3-RELEASE #0: Mon Dec 6 21:26:41 KRAT 1999 aleks@ksc.krasn.ru:/usr/src/sys/compile/ICMSBRAS i386
[-- Attachment #3 --]
de0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
inet 193.xx.xx.66 netmask 0xffffffc0 broadcast 193.xx.xx.127
inet 193.xx.xx.121 netmask 0xffffffff broadcast 193.xx.xx.121
ether 08:00:2b:e4:06:8a
media: autoselect (10baseT/UTP) status: active
supported media: autoselect 10base5/AUI manual 10baseT/UTP <full-duplex> 10baseT/UTP
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 172.16.0.14 netmask 0xffff0000 broadcast 172.16.255.255
ether 00:c0:df:25:b4:12
media: autoselect
supported media: autoselect 100baseTX <full-duplex> 100baseTX <half-duplex> 100baseTX 10baseT/UTP <full-duplex> 10baseT/UTP 10baseT/UTP <half-duplex>
sl0: flags=c010<POINTOPOINT,LINK2,MULTICAST> mtu 552
ppp0: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp1: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp2: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
ppp3: flags=8010<POINTOPOINT,MULTICAST> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet 127.0.0.1 netmask 0xff000000
[-- Attachment #4 --]
00100 divert 9009 ip from any to any via de0
00100 allow ip from any to any via lo0
00200 deny ip from any to 127.0.0.0/8
65000 allow ip from any to any
65535 deny ip from any to any
[-- Attachment #5 --]
machine "i386"
cpu "I686_CPU"
ident ICMSBRAS
maxusers 512
config kernel root on wd0
options "COMPAT_43" #Compatible with BSD 4.3 [KEEP THIS!]
options FFS #Berkeley Fast Filesystem
options FFS_ROOT #FFS usable as root device [keep this!]
options PROCFS #Process filesystem
options MFS #Memory Filesystem
options QUOTA #Enable disk quotas
controller isa0
controller pnp0 # PnP support for ISA
controller pci0
controller wdc0 at isa? port "IO_WD1" bio irq 14
disk wd0 at wdc0 drive 0 flags 0xb0ff #???? for LBA (0xb or 0xa)
disk wd1 at wdc0 drive 1
controller wdc1 at isa? port "IO_WD2" bio irq 15
disk wd2 at wdc1 drive 0 flags 0xb0ff #???? for LBA (0xb or 0xa)
disk wd3 at wdc1 drive 1
# Floating point support - do not disable.
device npx0 at isa? port IO_NPX irq 13
# syscons is the default console driver, resembling an SCO console
device sc0 at isa? tty
options SC_HISTORY_SIZE=600 # number of history buffer lines
device vga0 at isa? port ? conflicts
# atkbdc0 controls both the keyboard and the PS/2 mouse
controller atkbdc0 at isa? port IO_KBD tty
device atkbd0 at isa? tty irq 1
# Serial (COM) ports
device sio0 at isa? port "IO_COM1" flags 0x20000 tty irq 4
device sio1 at isa? port "IO_COM2" flags 0x20000 tty irq 3
device sio2 at isa? disable port "IO_COM3" flags 0x20000 tty irq 5
device sio3 at isa? disable port "IO_COM4" flags 0x20000 tty irq 9
options INET #InterNETworking
# PCI Ethernet NICs.
device de0 # DEC/Intel DC21x4x (``Tulip'')
device rl0 # RealTek 8129/8139
pseudo-device loop
pseudo-device ether
pseudo-device sl 1
pseudo-device bpfilter 32
pseudo-device gzip
pseudo-device log
pseudo-device pty 8
pseudo-device snp 24
pseudo-device vn
pseudo-device ccd 2
pseudo-device ppp 4
options PPP_BSDCOMP #PPP BSD-compress support
options PPP_DEFLATE #PPP zlib/deflate/gzip support
options PPP_FILTER #enable bpf filtering (needs bpfilter)
options FAILSAFE #Be conservative
options USERCONFIG #boot -c editor
options VISUAL_USERCONFIG #visual boot -c editor
options KTRACE #ktrace(1) syscall trace support
options "MAXDSIZ=(256*1024*1024)"
options "DFLDSIZ=(256*1024*1024)"
options IPFIREWALL #firewall
options IPFIREWALL_VERBOSE #print information about
# dropped packets
options IPFIREWALL_FORWARD #enable transparent proxy support
options IPDIVERT #divert sockets
options IPFILTER #kernel ipfilter support
options IPFILTER_LOG #ipfilter logging
options TCPDEBUG
options "ICMP_BANDLIM"
# DUMMYNET enables the "dummynet" bandwidth limiter. You need
# IPFIREWALL as well. See the dummynet(4) manpage for more info.
options DUMMYNET
options NFS_NOSERVER #Disable the NFS-server code.
# Allow this many swap-devices.
options NSWAPDEV=5
options SUIDDIR
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2950.991212>