Date: Mon, 22 Sep 2008 12:22:09 +0200 From: Pawel Jakub Dawidek <pjd@FreeBSD.org> To: Max Laier <max@love2party.net> Cc: freebsd-net@freebsd.org Subject: Re: Firewall redirect doesn't work any more... Message-ID: <20080922102209.GB2468@garage.freebsd.pl> In-Reply-To: <200809191538.02698.max@love2party.net> References: <20080919075633.GA4333@garage.freebsd.pl> <20080919121602.GC4333@garage.freebsd.pl> <200809191538.02698.max@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--jho1yZJdad60DJr+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Sep 19, 2008 at 03:38:02PM +0200, Max Laier wrote: > I might be wrong, but I don't think we ever supported rdr without=20 > net.inet.ip.forwarding enabled. Maybe to a different local address, but = even=20 > then you'd need net.inet.ip.check_interface=3D0. Looking at the code, I = don't=20 > see where IPFW forwarding fails (as it has its own ip_forward() call), th= ough. Ok, I did some more tests. I'm running bridge in there and trying to redirect packets that goes through my bridge to a local daemon. UDP redirect seems to work with PF: rdr on bridge0 proto udp from 10.0.1.1 to 10.0.0.2 port 12345 -> 10.0.5.123= port 12345 Between 10.0.1.1 and 10.0.0.2 there is my bridging machine. Now when I call 'nc -u -l 12345' on 10.0.5.123 and call 'nc -u 10.0.0.2 12345' on 10.0.1.1 machine I can receive packets on my nc daemon just fine, I can even send packets back and they are send with source address set to 10.0.0.2 - this is exactly what I'm looking for. Unfortunately it doesn't work for TCP. I see packets beeing redirected to 10.0.5.123, but my local daemon never accepts the connection and nc client keeps resending SYN packets. I also see weird messages in the logs: TCP: [10.0.1.1]:36973 to [10.0.5.123]:12345 tcpflags 0x4<RST>; syncache_chk= rst: Spurious RST without matching syncache entry (possibly syncookie only)= , segment ignored (Both tcps_badrst and tcps_sc_dropped are increased on every connection attempt.) Any ideas how to make it work with TCP? PS. The same functionality doesn't work at all with ipfw(8) (because of if_bridge(4)?). --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --jho1yZJdad60DJr+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFI13HQForvXbEpPzQRAheWAKCfjY0+HBxTNyKzSdToWzDKa48GoQCdH0X9 afzXBDfZBSl4u6496P15E1c= =RSK9 -----END PGP SIGNATURE----- --jho1yZJdad60DJr+--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080922102209.GB2468>