From owner-freebsd-ipfw@FreeBSD.ORG Mon Oct 27 13:58:31 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AAA771065672 for ; Mon, 27 Oct 2008 13:58:31 +0000 (UTC) (envelope-from leander.schaefer@googlemail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.26]) by mx1.freebsd.org (Postfix) with ESMTP id 314C88FC3A for ; Mon, 27 Oct 2008 13:58:30 +0000 (UTC) (envelope-from leander.schaefer@googlemail.com) Received: by ey-out-2122.google.com with SMTP id 6so764674eyi.7 for ; Mon, 27 Oct 2008 06:58:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :organization:user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=dpyPfBybNliZksV0LvwxOFAwEcOmgFZMsrWBm7eKjeg=; b=pnGwDcWiv2HB2pIcP7O8tF8D9Yn61PgxOkJSpfk3E70yzkpPsEMJlHin6LTel23IE5 wUNWmSr6gybFCHeIgg+yfa6917/puhEH7Wq1ocHLITxhIJHOkjNG/JWjrU/KxIcvhVZN 6XLJEtgmIH2FmnFp02kJoaeeY1EOJt55kTc/4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to :subject:content-type:content-transfer-encoding; b=mdOSC+Sx5gnZrKm51RGqEdZFGaRHbtFZCfc+7IFbXtPfzK4nhQV0NQ3//ujAJUNEwE Xk4VGaPie3mwl30r1wr4qEgKGIy5p9S32Amifi+IijFemB8SoXn6G+4ZO0LyHvApmbQa NSuIEVvnVGJlW8IDPzdxkTSE1LJVUc06bi/jg= Received: by 10.86.82.6 with SMTP id f6mr3286391fgb.52.1225115909535; Mon, 27 Oct 2008 06:58:29 -0700 (PDT) Received: from ?192.168.190.25? (p509936fe.dip0.t-ipconnect.de [80.153.54.254]) by mx.google.com with ESMTPS id d4sm6931989fga.5.2008.10.27.06.58.27 (version=SSLv3 cipher=RC4-MD5); Mon, 27 Oct 2008 06:58:28 -0700 (PDT) Message-ID: <4905C902.9040306@googlemail.com> Date: Mon, 27 Oct 2008 14:58:26 +0100 From: "Leander S." Organization: Privat User-Agent: Thunderbird 2.0.0.17 (Macintosh/20080914) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Subject: Portforwarding - still the same issue X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Oct 2008 13:58:31 -0000 Roman Kurakin schrieb: > John Hay wrote: >> On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote: >> >>> Hi, >>> >>> I'm trying to set up something like a HotSpot. Goal is it to force >>> unregistred users to get redirected to the Captive Portalsite where >>> they'll be able to agree my licence therms and get some information >>> ... etc. ... >>> >>> So fact is I need an IPFW rule which forwards Port 80,443,8080 >>> Traffic to another Port i.e. 8080 --> where my Apache will already >>> wait for serving the Captive Portalsite back to the request. >>> >>> So I did read the man and saw something like the fwd rule and the >>> Kernel Option for it - so I added the option - rcompiled the Kernel >>> and gave my Firewall the following fwd rule in an extra script: >>> >>> ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any >>> 80,443,8080 in via ${LAN_if} >>> > Try to make the rule stateful, eq add 'setup keep-state'. Also add > some logging in the rule > and add the last one additional deny with the logging. Oh-oh ... Can't log right now - have to recompile the kernel before ... sry. >> You have to catch it where it is going out and not in. Fwd only works >> when packets are out bound. I don't think so ?! And what sence would it make? Because think twice ... I want to fwd incoming HTTP:80 packages to make them look like HTTP:8080 packages ... the outgoing ones are uninteresting because it's apache's job to send back Websitedata on port 8080 where it's listening anyway. >> > But how this works for me? > > ipfw fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24 > to 172.22.4.254 dst-port 3128 setup in via vr0 keep-state > > rik >> John >> I tried: [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me dst-port 80 setup in via ath0 keep-state as well as this one too: [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me src-port 80 dst-port 8080 setup in via ath0 keep-state ^^ But sadly without success - "root$ ipfw show" doesn't even show me at least one package going through .... not even blocked ones ... 0 0 ;-) But here is my szenario again: 127.0.0.1 is my FreeBSDMashine wehre IPFW acts and Apache22 Listens on port 8080. 192.1.1.0/24 is the ath0 Interface where Wirlessclients will try to klick http://google:80 BUT accidently should be fwded & run into my PortalSite:8080 192.1.1.1 is the Interfaces IP Adress. 192.1.1.1:8080 would you also bring as well as 127.0.0.1:8080 to the portalsite. Regards, Leander