From owner-freebsd-net@freebsd.org Wed Jul 31 19:38:40 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 50ED1A6B7F for ; Wed, 31 Jul 2019 19:38:40 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from shell1.rawbw.com (shell1.rawbw.com [198.144.192.42]) by mx1.freebsd.org (Postfix) with ESMTP id 45zNyL3VVRz4FSJ for ; Wed, 31 Jul 2019 19:38:34 +0000 (UTC) (envelope-from yuri@rawbw.com) Received: from yv.noip.me (c-67-180-169-236.hsd1.ca.comcast.net [67.180.169.236]) (authenticated bits=0) by shell1.rawbw.com (8.15.1/8.15.1) with ESMTPSA id x6VJcWOp021616 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO) for ; Wed, 31 Jul 2019 12:38:32 -0700 (PDT) (envelope-from yuri@rawbw.com) X-Authentication-Warning: shell1.rawbw.com: Host c-67-180-169-236.hsd1.ca.comcast.net [67.180.169.236] claimed to be yv.noip.me To: "freebsd-net@freebsd.org" From: Yuri Subject: ipfw questions: how to forward incoming TCP connections from the same host? Message-ID: <16dd8ba4-26e4-928b-c448-8294d13ece02@rawbw.com> Date: Wed, 31 Jul 2019 12:38:31 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US X-Rspamd-Queue-Id: 45zNyL3VVRz4FSJ X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of yuri@rawbw.com designates 198.144.192.42 as permitted sender) smtp.mailfrom=yuri@rawbw.com X-Spamd-Result: default: False [-2.69 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[236.169.180.67.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:198.144.192.32/27]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; HAS_XAW(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; MX_GOOD(-0.01)[mx.rawbw.net]; NEURAL_HAM_SHORT(-0.94)[-0.938,0]; RCVD_IN_DNSWL_NONE(0.00)[42.192.144.198.list.dnswl.org : 127.0.10.0]; TO_DN_EQ_ADDR_ALL(0.00)[]; IP_SCORE(-2.54)[ip: (-5.82), ipnet: 198.144.192.0/20(-3.13), asn: 7961(-3.73), country: US(-0.05)]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:7961, ipnet:198.144.192.0/20, country:US]; MID_RHS_MATCH_FROM(0.00)[]; DMARC_NA(0.00)[rawbw.com]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jul 2019 19:38:40 -0000 I need to forward incoming TCP connections made to my host 192.168.5.3 on the port 3100 to the IP address 10.0.0.101 port 3000 connected through another interface. These rules work when connection is made from a remote host: ipfw -q nat 19001 config redirect_port tcp 10.0.0.101:3000 192.168.5.3:3100 ipfw -q add 19001 nat 19001 tcp from any to 192.168.5.3 3100 in recv sk0 ipfw -q add 19001 nat 19001 tcp from 10.0.0.101 3000 to any out xmit sk0 Question#1: How to allow connections from the same host to be forwarded the same way? Connections from the host's LAN IP address pass through lo0, but this rule doesn't work when added: ipfw -q add 19001 nat 19001 tcp from 192.168.5.3 to 192.168.5.3 3100 in recv lo0 Wireshark shows that the incoming connection is from 192.168.5.3 to 192.168.5.3 on 3100 but it gets immediately rejected instead of being forwarded. This rule looks very similar to the second rule above, just the interface is different. Why doesn't it work? Question#2: When lo0 is added to the third rule above it stops working for the return traffic: ipfw -q add 19001 nat 19001 tcp from 10.0.0.101 3000 to any out xmit sk0 xmit lo0 Just adding "xmit lo0" makes it to fail for sk0 too. When several interfaces are present in the rule, doesn't this mean that it should apply to all of them? Perhaps multiple interfaces can only be used in recv/xmit combination? Why does this command accept two xmit clauses then? Thank you, Yuri