Date: Mon, 02 Dec 2013 12:12:41 +0330 From: Hooman Fazaeli <hoomanfazaeli@gmail.com> To: Yuri <yuri@rawbw.com> Cc: net@freebsd.org Subject: Re: DIOCNATLOOK fails with ipfw Message-ID: <529C4801.3010000@gmail.com> In-Reply-To: <529C3E84.1030203@rawbw.com> References: <529C3E84.1030203@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 12/2/2013 11:32 AM, Yuri wrote: > I have an app with transparent proxy that should intercept all TCP connections in the interface. > This is done with ipfw(8) rule like this: > ipfw add 200 fwd 192.168.10.1,15020 tcp from 192.168.10.0/24 to any 80 keep-state > Transparent proxy is on 192.168.10.1:15020 > > Proxy accepts the connections, however, it is using /dev/pf to get the original destination and the lookup procedure fails: > ioctl(DIOCNATLOOK) failed: No such file or directory > It fails because nobody ever calls pf_state_insert. I see from the source that ioctl to add the pf_state is DIOCSTART, which is issued by pfctl(8), but I am not using pfctl(8) at all. > > My questions are: > What is the relationship between ipfw(8) and pfctl(8)? Do they do the same? Why two of them? > If I only use ipfw, is there a way for the acceptor to find what the original destination was without /dev/pf? > > Yuri > _______________________________________________ ipfw and pf are two completely separate firewalls. You can not use /dev/pf to control/query ipfw. Use getsockname(2) to find out original destination address with ipfw. -- Best regards. Hooman Fazaeli
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?529C4801.3010000>