From owner-freebsd-hackers Fri Feb 15 15:10:28 2002 Delivered-To: freebsd-hackers@freebsd.org Received: from manor.msen.com (manor.msen.com [148.59.4.66]) by hub.freebsd.org (Postfix) with ESMTP id 1948337B404 for ; Fri, 15 Feb 2002 15:09:52 -0800 (PST) Received: from manor.msen.com (wayne@localhost [127.0.0.1]) by manor.msen.com (8.9.3/8.9.3) with ESMTP id SAA00831 for ; Fri, 15 Feb 2002 18:09:51 -0500 (EST) (envelope-from wayne@manor.msen.com) Message-Id: <200202152309.SAA00831@manor.msen.com> To: freebsd-hackers@FreeBSD.ORG Subject: Odd ipfw behaviour Date: Fri, 15 Feb 2002 18:09:51 -0500 From: "Michael R. Wayne" Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG ipfw seems to be confused about where to forward packets if no interface is specifically mentioned. Before I file a PR on it, I'd like someone who is more familiar with how ipfw operates to quickly look over my findings. Test setup, showing 2 ethernets with 2 FreeBSD boxes and another machine running netscape +-------Netscape BROWSERbox +-------squid SQUIDbox +-------4.5 Release------+ ProxyFirewall router-------+ | internet The internal net on ProxyFirewall is fxp1, external net is fxp0. All devices have real IP addresses and correct netmasks NAT is not involved. Using this ipfw rule on ProxyFirewall: fwd $(squid-box) log tcp from $(windows-box) to any 80 and checking the logs on ProxyFirewall, I see this horrible mess: ipfw: 11005 Forward to SQUIDbox TCP BROWSERbox:1631 216.136.204.21:80 in via fxp1 ipfw: 11005 Forward to SQUIDbox TCP BROWSERbox:1631 216.136.204.21:80 out via fxp0 <---!!! ipfw: 11005 Forward to SQUIDbox TCP BROWSERbox:1631 216.136.204.21:80 in via fxp1 ipfw: 11005 Forward to SQUIDbox TCP BROWSERbox:1631 216.136.204.21:80 out via fxp1 ipfw: 60000 Deny ICMP:5.1 ProxyFirewall BROWSERbox out via fxp1 ipfw: 60000 Deny ICMP:5.1 ProxyFirewall SQUIDbox out via fxp1 last message repeated 31 times This, of course, causes terrible performance as the packets destined for the local net bounce out the default interface. It can be corrected by specifying an interface in the fwd rule: fwd $(squid-box) log tcp from $(windows-box) to any 80 via fxp1 Is it expected behaviour for ipfw to disregard routing and put packets out on interfaces where they have no chance of being properly delivered (which would be odd) or is this a bug? /\/\ \/\/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message