Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 30 Aug 2004 12:32:16 +0200
From:      Oliver Brandmueller <ob@e-Gitt.NET>
To:        Andre Oppermann <andre@freebsd.org>
Cc:        current@freebsd.org
Subject:   Re: RELENG_5 ipfw problem
Message-ID:  <20040830103216.GA51110@e-Gitt.NET>
In-Reply-To: <412F5307.5040005@freebsd.org>
References:  <20040827084306.GB74653@e-Gitt.NET> <412F276A.6080807@freebsd.org> <20040827141354.GC74653@e-Gitt.NET> <412F5307.5040005@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hello.

On Fri, Aug 27, 2004 at 05:28:07PM +0200, Andre Oppermann wrote:
> It detects a missing dummynet because it has to pass on configuration
> options to dummynet and it can only do that if dummynet is loaded.  For
> FORWARD this is not the case.  Here the ipfw code just tags the packet
> for later treatment.  And that later treatment is scattered through a
> few places where we have to inspect each packet it carries this tag.
> 
> >- How to enable it?
> 
> Put "option IPFIREWALL_FORWARD" into your kernel configuration file and
> recompile.

I do now have IPFIREWALL and IPFIREWALL_FORWARD in the kernel and am not 
loading it as a module anymore. The dmesg now states:

ipfw2 initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled

OK, fine. But  do still have a problem:

The rule is loaded an matched. Instead of just dropping the packet (as 
before, when rule based forwarding was disabled) the pakets are now 
accepted, but the forwarding does not work:

00200 fwd 192.168.25.1 tcp from 192.168.25.5 25 to 213.XXX.XXX.0/24

Is still see this on em0 (the public interface in the destination 
network metioned in rule 200):

12:26:09.674295 IP 192.168.25.5.smtp > 213.XXX.XXX.XXX.41424: S 
	3583621218:3583621218(0) ack 3993419222 win 65535 <mss 1460>

# ipfw show
00200   2694   118536 fwd 192.168.25.1 tcp from 192.168.25.5 25 to 213.XXX.XXX.0/24

packets are accepted, but not forwarded. Can anyone else reproduce this?

- Oliver

-- 
| Oliver Brandmueller | Offenbacher Str. 1  | Germany       D-14197 Berlin |
| Fon +49-172-3130856 | Fax +49-172-3145027 | WWW:   http://the.addict.de/ |
|               Ich bin das Internet. Sowahr ich Gott helfe.               |
| Eine gewerbliche Nutzung aller enthaltenen Adressen ist nicht gestattet! |

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040830103216.GA51110>