From owner-freebsd-stable  Sun Dec 12  7:51:25 1999
Delivered-To: freebsd-stable@freebsd.org
Received: from ak00.krascience.rssi.ru (ak0.krascience.rssi.ru [193.232.19.65])
	by hub.freebsd.org (Postfix) with ESMTP id 14BC514BE5
	for <freebsd-stable@freebsd.org>; Sun, 12 Dec 1999 07:51:06 -0800 (PST)
	(envelope-from aleks@post.krascience.rssi.ru)
Received: from ALEKS (ak11.krascience.rssi.ru [193.232.203.66])
	by ak00.krascience.rssi.ru (8.8.5/8.8.5) with ESMTP id WAA01805;
	Sun, 12 Dec 1999 22:50:11 +0700 (KRS)
Date: Sun, 12 Dec 1999 22:48:28 +0700
From: Alexei Sokolski <aleks@post.krascience.rssi.ru>
X-Mailer: The Bat! (v1.36) UNREG / CD5BF9353B3B7091
Reply-To: Alexei Sokolski <aleks@post.krascience.rssi.ru>
Organization: ICM of SB RAS
X-Priority: 3 (Normal)
Message-ID: <2950.991212@cc.krascience.rssi.ru>
To: Roelof Osinga <roelof@nisser.com>
Cc: freebsd-stable@freebsd.org
Subject: Re[2]: ifpw forwarding problem
In-reply-To: <384FFEC6.276F4A1E@nisser.com>
References: <384FFEC6.276F4A1E@nisser.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----------F12555BA795BC"
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

------------F12555BA795BC
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hello,
10 Dec 1999 , Roelof Osinga wrote:
> OK, here it comes. A fresh set of data. This is how it is *now*. Thus
> with FORWARD disabled. Some testscripts are at the end. Maybe you
> can spot the error, I sure can't.
I can`n find error in YOUR scripts.
But I find something wrong at work of ipfw... (or not ?)

 I have FreeBSD gateway with natd and two interface:
    First is public de0 - 193.x.x.121.
    Second is local rl0 - 172.16.0.14.
 One web-server at 172.16.0.101:80 and http-client (172.16.0.2). All of
 them has connection to 10Base-T hub.
 I run network analyser at client machine with capture filter:
 "catch from any_ether to any_ether"
 I am try make redirection from my gateway to my local web-server from
 Internet and local network.
 Don`t asked me why I did it :^(
 
I have several small experiment:
 1) for redirection from Internet I add rule at natd configuration:
 -redirect_port tcp 193.x.x.121:80 172.16.0.101:80
 And this work.
 
 2) I make forward as Roelof Osinga:
ipfw add 1 fwd 172.16.0.101,80 tcp from any to 172.16.0.14 8080 in via rl0
 At this case analyser show series of packets :
    a) from client to dateway for open tcp connection in port 8080
    b) and my gateway write in log_file:
      Connection attempt to TCP 172.16.0.14:8080 from 172.16.0.2:some_ports
      
 3) I make forward:
ipfw add 1 fwd 172.16.0.101,80 tcp from any to 172.16.0.14 8080
 At this case analyser show packets
 a) from client to gateway - open connection in port 8080
 b) from gateway to web-server for open tcp connection to port 8080 (!!!).
No service at web-server on port 8080 therefore client has timeout
:^((
 
 4) In man ipfw(8) write
  ...
 fwd ipaddr [,port]
                   ...
                   This is intended for use with transparent proxy
                   servers.
                   ...
 And I decide tried make forward like this (from 80 to 80 port):
ipfw add 1 fwd 172.16.0.101,80 tcp from any to 172.16.0.14 80 in via rl0
 At this case analyser show series of packets :
    a) from client to dateway for open tcp connection in port 80
    b) and my gateway write in log_file:
      Connection attempt to TCP 172.16.0.14:80 from 172.16.0.2:some_ports

 5) Then I make forward (may be it work):
ipfw add 1 fwd 172.16.0.101,80 tcp from any to 172.16.0.14 80
 At this case analyser show series of packets
 a) from client to gateway - open connection in port 80
 b) from gateway to web-server for open tcp connection to port 80.
 c) from gateway to client - icmp: Redirect, Use Gateway 172.16.00.14,
 to reach 172.16.00.14 (!!!)
It is repeat many a time without success therefore client has timeout :^((
 
So, I have a problem (I or all?):
Can I make redirect from IP1:port1 to IP2:port2 with "ipfw..fwd..."?
Or I must use one more natd for that?

All information about machine in files:
$uname -a       uname-a
$ifconfig -a    ifconfig-a
$ipfw list      ipfw_list
file KERNEL     ICMSBRAS

P.S. One more questions
In FreeBSD 2.2.6 with natd at port 8668 in my machine I had:
$netstat -an
Proto Recv-Q Send-Q Local Address         Foreign Address       (state)
tcp        0      0 *.xxx                  *.*                   LISTEN
divert     0      0 *.8668                 *.*                   LISTEN
Active UNIX domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr

Now when I run natd I have string with icmp:
$netstat -an
Proto Recv-Q Send-Q Local Address         Foreign Address       (state)
icmp       0      0 *.*                   *.*
tcp        0      0 *.XXX                  *.*                   LISTEN
Active UNIX domain sockets
Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr

Can you say why???

-----------
Thank you for your help,                           Sokolski Alexei
engineer of technical laboratory
ICM SB RAS
------------F12555BA795BC
Content-Type: application/octet-stream; name="uname-a"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="uname-a"

RnJlZUJTRCBhazExLmtyYXNjaWVuY2UucnNzaS5ydSAzLjMtUkVMRUFTRSBGcmVlQlNEIDMuMy1S
RUxFQVNFICMwOiBNb24gRGVjICA2IDIxOjI2OjQxIEtSQVQgMTk5OSAgICAgYWxla3NAa3NjLmty
YXNuLnJ1Oi91c3Ivc3JjL3N5cy9jb21waWxlL0lDTVNCUkFTICBpMzg2DQo=
------------F12555BA795BC
Content-Type: application/octet-stream; name="ifconfig-a"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="ifconfig-a"

ZGUwOiBmbGFncz04OTQzPFVQLEJST0FEQ0FTVCxSVU5OSU5HLFBST01JU0MsU0lNUExFWCxNVUxU
SUNBU1Q+IG10dSAxNTAwDQoJaW5ldCAxOTMueHgueHguNjYgbmV0bWFzayAweGZmZmZmZmMwIGJy
b2FkY2FzdCAxOTMueHgueHguMTI3DQoJaW5ldCAxOTMueHgueHguMTIxIG5ldG1hc2sgMHhmZmZm
ZmZmZiBicm9hZGNhc3QgMTkzLnh4Lnh4LjEyMQ0KCWV0aGVyIDA4OjAwOjJiOmU0OjA2OjhhIA0K
CW1lZGlhOiBhdXRvc2VsZWN0ICgxMGJhc2VUL1VUUCkgc3RhdHVzOiBhY3RpdmUNCglzdXBwb3J0
ZWQgbWVkaWE6IGF1dG9zZWxlY3QgMTBiYXNlNS9BVUkgbWFudWFsIDEwYmFzZVQvVVRQIDxmdWxs
LWR1cGxleD4gMTBiYXNlVC9VVFANCnJsMDogZmxhZ3M9ODg0MzxVUCxCUk9BRENBU1QsUlVOTklO
RyxTSU1QTEVYLE1VTFRJQ0FTVD4gbXR1IDE1MDANCglpbmV0IDE3Mi4xNi4wLjE0IG5ldG1hc2sg
MHhmZmZmMDAwMCBicm9hZGNhc3QgMTcyLjE2LjI1NS4yNTUNCglldGhlciAwMDpjMDpkZjoyNTpi
NDoxMiANCgltZWRpYTogYXV0b3NlbGVjdA0KCXN1cHBvcnRlZCBtZWRpYTogYXV0b3NlbGVjdCAx
MDBiYXNlVFggPGZ1bGwtZHVwbGV4PiAxMDBiYXNlVFggPGhhbGYtZHVwbGV4PiAxMDBiYXNlVFgg
MTBiYXNlVC9VVFAgPGZ1bGwtZHVwbGV4PiAxMGJhc2VUL1VUUCAxMGJhc2VUL1VUUCA8aGFsZi1k
dXBsZXg+DQpzbDA6IGZsYWdzPWMwMTA8UE9JTlRPUE9JTlQsTElOSzIsTVVMVElDQVNUPiBtdHUg
NTUyDQpwcHAwOiBmbGFncz04MDEwPFBPSU5UT1BPSU5ULE1VTFRJQ0FTVD4gbXR1IDE1MDANCnBw
cDE6IGZsYWdzPTgwMTA8UE9JTlRPUE9JTlQsTVVMVElDQVNUPiBtdHUgMTUwMA0KcHBwMjogZmxh
Z3M9ODAxMDxQT0lOVE9QT0lOVCxNVUxUSUNBU1Q+IG10dSAxNTAwDQpwcHAzOiBmbGFncz04MDEw
PFBPSU5UT1BPSU5ULE1VTFRJQ0FTVD4gbXR1IDE1MDANCmxvMDogZmxhZ3M9ODA0OTxVUCxMT09Q
QkFDSyxSVU5OSU5HLE1VTFRJQ0FTVD4gbXR1IDE2Mzg0DQoJaW5ldCAxMjcuMC4wLjEgbmV0bWFz
ayAweGZmMDAwMDAwIA0K
------------F12555BA795BC
Content-Type: application/octet-stream; name="ipfw_list"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="ipfw_list"

MDAxMDAgZGl2ZXJ0IDkwMDkgaXAgZnJvbSBhbnkgdG8gYW55IHZpYSBkZTANCjAwMTAwIGFsbG93
IGlwIGZyb20gYW55IHRvIGFueSB2aWEgbG8wDQowMDIwMCBkZW55IGlwIGZyb20gYW55IHRvIDEy
Ny4wLjAuMC84DQo2NTAwMCBhbGxvdyBpcCBmcm9tIGFueSB0byBhbnkNCjY1NTM1IGRlbnkgaXAg
ZnJvbSBhbnkgdG8gYW55DQo=
------------F12555BA795BC
Content-Type: application/octet-stream; name="Icmsbras"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Icmsbras"

bWFjaGluZQkJImkzODYiDQpjcHUJCSJJNjg2X0NQVSINCmlkZW50CQlJQ01TQlJBUw0KbWF4dXNl
cnMJNTEyDQoNCmNvbmZpZwkJa2VybmVsCXJvb3Qgb24gd2QwDQoNCm9wdGlvbnMgCSJDT01QQVRf
NDMiCQkjQ29tcGF0aWJsZSB3aXRoIEJTRCA0LjMgW0tFRVAgVEhJUyFdDQpvcHRpb25zIAlGRlMJ
CQkjQmVya2VsZXkgRmFzdCBGaWxlc3lzdGVtDQpvcHRpb25zIAlGRlNfUk9PVAkJI0ZGUyB1c2Fi
bGUgYXMgcm9vdCBkZXZpY2UgW2tlZXAgdGhpcyFdDQpvcHRpb25zIAlQUk9DRlMJCQkjUHJvY2Vz
cyBmaWxlc3lzdGVtDQpvcHRpb25zIAlNRlMJCQkjTWVtb3J5IEZpbGVzeXN0ZW0NCm9wdGlvbnMJ
CVFVT1RBCQkJI0VuYWJsZSBkaXNrIHF1b3Rhcw0KDQpjb250cm9sbGVyCWlzYTANCmNvbnRyb2xs
ZXIJcG5wMAkJCSMgUG5QIHN1cHBvcnQgZm9yIElTQQ0KY29udHJvbGxlcglwY2kwDQoNCmNvbnRy
b2xsZXIJd2RjMAlhdCBpc2E/IHBvcnQgIklPX1dEMSIgYmlvIGlycSAxNA0KZGlzawkJd2QwCWF0
IHdkYzAgZHJpdmUgMCBmbGFncyAweGIwZmYgIz8/Pz8gZm9yIExCQSAoMHhiIG9yIDB4YSkNCmRp
c2sJCXdkMQlhdCB3ZGMwIGRyaXZlIDENCg0KY29udHJvbGxlcgl3ZGMxCWF0IGlzYT8gcG9ydCAi
SU9fV0QyIiBiaW8gaXJxIDE1DQpkaXNrCQl3ZDIJYXQgd2RjMSBkcml2ZSAwIGZsYWdzIDB4YjBm
ZiAjPz8/PyBmb3IgTEJBICgweGIgb3IgMHhhKQ0KZGlzawkJd2QzCWF0IHdkYzEgZHJpdmUgMQ0K
DQojIEZsb2F0aW5nIHBvaW50IHN1cHBvcnQgLSBkbyBub3QgZGlzYWJsZS4NCmRldmljZQkJbnB4
MAlhdCBpc2E/IHBvcnQgSU9fTlBYIGlycSAxMw0KDQojIHN5c2NvbnMgaXMgdGhlIGRlZmF1bHQg
Y29uc29sZSBkcml2ZXIsIHJlc2VtYmxpbmcgYW4gU0NPIGNvbnNvbGUNCmRldmljZQkJc2MwCWF0
IGlzYT8gdHR5DQpvcHRpb25zCQlTQ19ISVNUT1JZX1NJWkU9NjAwCSMgbnVtYmVyIG9mIGhpc3Rv
cnkgYnVmZmVyIGxpbmVzDQoNCmRldmljZQkJdmdhMAlhdCBpc2E/IHBvcnQgPyBjb25mbGljdHMN
Cg0KIyBhdGtiZGMwIGNvbnRyb2xzIGJvdGggdGhlIGtleWJvYXJkIGFuZCB0aGUgUFMvMiBtb3Vz
ZQ0KY29udHJvbGxlcglhdGtiZGMwCWF0IGlzYT8gcG9ydCBJT19LQkQgdHR5DQpkZXZpY2UJCWF0
a2JkMAlhdCBpc2E/IHR0eSBpcnEgMQ0KDQojIFNlcmlhbCAoQ09NKSBwb3J0cw0KZGV2aWNlCQlz
aW8wCWF0IGlzYT8gcG9ydCAiSU9fQ09NMSIgZmxhZ3MgMHgyMDAwMCB0dHkgaXJxIDQNCmRldmlj
ZQkJc2lvMQlhdCBpc2E/IHBvcnQgIklPX0NPTTIiIGZsYWdzIDB4MjAwMDAgdHR5IGlycSAzDQpk
ZXZpY2UJCXNpbzIJYXQgaXNhPyBkaXNhYmxlIHBvcnQgIklPX0NPTTMiIGZsYWdzIDB4MjAwMDAg
dHR5IGlycSA1DQpkZXZpY2UJCXNpbzMJYXQgaXNhPyBkaXNhYmxlIHBvcnQgIklPX0NPTTQiIGZs
YWdzIDB4MjAwMDAgdHR5IGlycSA5DQoNCm9wdGlvbnMgCUlORVQJCQkjSW50ZXJORVR3b3JraW5n
DQoNCiMgUENJIEV0aGVybmV0IE5JQ3MuDQpkZXZpY2UJCWRlMAkJIyBERUMvSW50ZWwgREMyMXg0
eCAoYGBUdWxpcCcnKQ0KZGV2aWNlCQlybDAJCSMgUmVhbFRlayA4MTI5LzgxMzkNCnBzZXVkby1k
ZXZpY2UgbG9vcA0KcHNldWRvLWRldmljZSBldGhlcg0KcHNldWRvLWRldmljZSBzbCAxDQpwc2V1
ZG8tZGV2aWNlIGJwZmlsdGVyIDMyDQpwc2V1ZG8tZGV2aWNlIGd6aXANCnBzZXVkby1kZXZpY2Ug
bG9nDQpwc2V1ZG8tZGV2aWNlIHB0eSA4DQpwc2V1ZG8tZGV2aWNlIHNucCAyNA0KcHNldWRvLWRl
dmljZSB2bg0KcHNldWRvLWRldmljZSBjY2QgMg0KcHNldWRvLWRldmljZSBwcHAgNA0Kb3B0aW9u
cyBQUFBfQlNEQ09NUAkJCSNQUFAgQlNELWNvbXByZXNzIHN1cHBvcnQNCm9wdGlvbnMgUFBQX0RF
RkxBVEUJCQkjUFBQIHpsaWIvZGVmbGF0ZS9nemlwIHN1cHBvcnQNCm9wdGlvbnMgUFBQX0ZJTFRF
UgkJCSNlbmFibGUgYnBmIGZpbHRlcmluZyAobmVlZHMgYnBmaWx0ZXIpDQoNCm9wdGlvbnMgCUZB
SUxTQUZFCQkjQmUgY29uc2VydmF0aXZlDQpvcHRpb25zIAlVU0VSQ09ORklHCQkjYm9vdCAtYyBl
ZGl0b3INCm9wdGlvbnMgCVZJU1VBTF9VU0VSQ09ORklHCSN2aXN1YWwgYm9vdCAtYyBlZGl0b3IN
Cm9wdGlvbnMgCUtUUkFDRQkJCSNrdHJhY2UoMSkgc3lzY2FsbCB0cmFjZSBzdXBwb3J0DQoNCm9w
dGlvbnMJCSJNQVhEU0laPSgyNTYqMTAyNCoxMDI0KSINCm9wdGlvbnMJCSJERkxEU0laPSgyNTYq
MTAyNCoxMDI0KSINCg0Kb3B0aW9ucyAgICAgICAgIElQRklSRVdBTEwgICAgICAgICAgICAgICNm
aXJld2FsbA0Kb3B0aW9ucyAgICAgICAgIElQRklSRVdBTExfVkVSQk9TRSAgICAgICNwcmludCBp
bmZvcm1hdGlvbiBhYm91dA0KCQkJCQkjIGRyb3BwZWQgcGFja2V0cw0Kb3B0aW9ucyAgICAgICAg
IElQRklSRVdBTExfRk9SV0FSRCAgICAgICNlbmFibGUgdHJhbnNwYXJlbnQgcHJveHkgc3VwcG9y
dA0Kb3B0aW9ucwkJSVBESVZFUlQJCSNkaXZlcnQgc29ja2V0cw0Kb3B0aW9ucwkJSVBGSUxURVIJ
CSNrZXJuZWwgaXBmaWx0ZXIgc3VwcG9ydA0Kb3B0aW9ucwkJSVBGSUxURVJfTE9HCQkjaXBmaWx0
ZXIgbG9nZ2luZw0Kb3B0aW9ucwkJVENQREVCVUcNCg0Kb3B0aW9ucyAgICAgICAgICJJQ01QX0JB
TkRMSU0iDQoNCiMgRFVNTVlORVQgZW5hYmxlcyB0aGUgImR1bW15bmV0IiBiYW5kd2lkdGggbGlt
aXRlci4gWW91IG5lZWQNCiMgSVBGSVJFV0FMTCBhcyB3ZWxsLiBTZWUgdGhlIGR1bW15bmV0KDQp
IG1hbnBhZ2UgZm9yIG1vcmUgaW5mby4NCm9wdGlvbnMJRFVNTVlORVQNCg0Kb3B0aW9ucwlORlNf
Tk9TRVJWRVIJCSNEaXNhYmxlIHRoZSBORlMtc2VydmVyIGNvZGUuDQoNCiMgQWxsb3cgdGhpcyBt
YW55IHN3YXAtZGV2aWNlcy4NCm9wdGlvbnMJCU5TV0FQREVWPTUNCg0Kb3B0aW9ucwkJU1VJRERJ
Ug0KDQo=
------------F12555BA795BC--




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message