From owner-freebsd-net@freebsd.org Tue Jan 23 18:42:15 2018 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A40A7EBF915 for ; Tue, 23 Jan 2018 18:42:15 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 2F8F468E0E; Tue, 23 Jan 2018 18:42:14 +0000 (UTC) (envelope-from eugen@grosbein.net) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221] (may be forged)) by hz.grosbein.net (8.15.2/8.15.2) with ESMTPS id w0NIfx2i005459 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 Jan 2018 19:42:00 +0100 (CET) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: asomers@freebsd.org Received: from [10.58.0.4] ([10.58.0.4]) by eg.sd.rdtc.ru (8.15.2/8.15.2) with ESMTPS id w0NIfn2A076293 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 24 Jan 2018 01:41:49 +0700 (+07) (envelope-from eugen@grosbein.net) Subject: Re: pf: redirect a packet's port but not its address? To: Alan Somers , "Andrey V. Elsukov" References: <759792be-189f-bdaf-04c9-b01d26fa9e00@yandex.ru> Cc: FreeBSD Net , Kristof Provost From: Eugene Grosbein Message-ID: <5A6781E9.5060405@grosbein.net> Date: Wed, 24 Jan 2018 01:41:45 +0700 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=2.2 required=5.0 tests=BAYES_00, LOCAL_FROM, RDNS_NONE autolearn=no autolearn_force=no version=3.4.1 X-Spam-Report: * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains * 1.9 RDNS_NONE Delivered to internal network by a host with no rDNS X-Spam-Level: ** X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hz.grosbein.net X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Jan 2018 18:42:15 -0000 24.01.2018 1:26, Alan Somers wrote : >> # ipfw add fwd ::1,5678 tcp from any to any 4000 >> # nc -6 -l ::1 5678 >> >> And from another host tried: >> # telnet -6 fc00::1 4000 >> >> And this works. >> > > This does not work for me. When I try, tcpdump shows that the host running > ipfw returns an RST packet when it receives a SYN for port 4000. That > sounds like the fwd rule isn't working. And it's probably not working > because I'm a total ipfw n00b. Is there anything else I need to configure > in ipfw first? My rc.conf file looks like: > > firewall_enable="YES" > firewall_type="open" ipfw rules are always numbered and while ipfw allows you to not specify rule number when adding, it is wise to always specify it, or else it adds rules to the end of the list and that is not what you want dealing with pre-defined "open" ruleset. In short, use "ipfw add 2000 fwd ::1,5678 tcp from any to any 4000" Use "ipfw show" to check it out before and after running this command.