From owner-freebsd-net@FreeBSD.ORG Mon Sep 22 10:22:08 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 876231065674 for ; Mon, 22 Sep 2008 10:22:08 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (chello087206045082.chello.pl [87.206.45.82]) by mx1.freebsd.org (Postfix) with ESMTP id DBBC68FC18 for ; Mon, 22 Sep 2008 10:22:07 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 3B748456AB; Mon, 22 Sep 2008 12:22:06 +0200 (CEST) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 26D6E45684; Mon, 22 Sep 2008 12:22:01 +0200 (CEST) Date: Mon, 22 Sep 2008 12:22:09 +0200 From: Pawel Jakub Dawidek To: Max Laier Message-ID: <20080922102209.GB2468@garage.freebsd.pl> References: <20080919075633.GA4333@garage.freebsd.pl> <20080919121602.GC4333@garage.freebsd.pl> <200809191538.02698.max@love2party.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="jho1yZJdad60DJr+" Content-Disposition: inline In-Reply-To: <200809191538.02698.max@love2party.net> User-Agent: Mutt/1.4.2.3i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 8.0-CURRENT i386 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-net@freebsd.org Subject: Re: Firewall redirect doesn't work any more... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Sep 2008 10:22:08 -0000 --jho1yZJdad60DJr+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 19, 2008 at 03:38:02PM +0200, Max Laier wrote: > I might be wrong, but I don't think we ever supported rdr without=20 > net.inet.ip.forwarding enabled. Maybe to a different local address, but = even=20 > then you'd need net.inet.ip.check_interface=3D0. Looking at the code, I = don't=20 > see where IPFW forwarding fails (as it has its own ip_forward() call), th= ough. Ok, I did some more tests. I'm running bridge in there and trying to redirect packets that goes through my bridge to a local daemon. UDP redirect seems to work with PF: rdr on bridge0 proto udp from 10.0.1.1 to 10.0.0.2 port 12345 -> 10.0.5.123= port 12345 Between 10.0.1.1 and 10.0.0.2 there is my bridging machine. Now when I call 'nc -u -l 12345' on 10.0.5.123 and call 'nc -u 10.0.0.2 12345' on 10.0.1.1 machine I can receive packets on my nc daemon just fine, I can even send packets back and they are send with source address set to 10.0.0.2 - this is exactly what I'm looking for. Unfortunately it doesn't work for TCP. I see packets beeing redirected to 10.0.5.123, but my local daemon never accepts the connection and nc client keeps resending SYN packets. I also see weird messages in the logs: TCP: [10.0.1.1]:36973 to [10.0.5.123]:12345 tcpflags 0x4; syncache_chk= rst: Spurious RST without matching syncache entry (possibly syncookie only)= , segment ignored (Both tcps_badrst and tcps_sc_dropped are increased on every connection attempt.) Any ideas how to make it work with TCP? PS. The same functionality doesn't work at all with ipfw(8) (because of if_bridge(4)?). --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --jho1yZJdad60DJr+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFI13HQForvXbEpPzQRAheWAKCfjY0+HBxTNyKzSdToWzDKa48GoQCdH0X9 afzXBDfZBSl4u6496P15E1c= =RSK9 -----END PGP SIGNATURE----- --jho1yZJdad60DJr+--