ipfw fwd
Chris Knipe
savage at savage.za.org
Thu Feb 10 01:55:23 PST 2005
>> FreeBSD 4.11-STABLE, running ipfw2.
>>
>> root at wsmd-core02:/home/cknipe# ifconfig vlan1
>> vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1496
>> inet 198.19.0.33 netmask 0xffffffe0 broadcast 198.19.0.63
>> ether 00:08:a1:7a:b1:44
>> media: Ethernet autoselect (100baseTX)
>> status: active
>> vlan: 200 parent interface: rl0
>>
>> ipfw2:
>> 00400 0 0 allow tcp from 198.19.0.36 to any dst-port 80
>> 00401 12 652 allow tcp from 198.19.0.35 to any dst-port 25
>> 00402 13 668 fwd 198.19.0.36,3128 tcp from 198.19.0.32/27 to
>> any
>> dst-port 80
>> 00403 2 120 fwd 198.19.0.35,25 tcp from 198.19.0.32/27 to any
>> dst-port 25
>>
>>
>> However, packets that are forwarded, never connects to the destination
>> where
>> it is forwarded to. And yes, I did check the obvious, everything is up
>> and
>> running.... Is there some sysctl magic or something required to make
>> this
>> work? I can fwd without a problem to the SAME BOX, but I cannot seem to
>> get
>> it to work to fwd to remote machines. In case someone is wondering, this
>> is
>> for transparent proxy / smtp servers.
>>
>> --
>> Chris.
>>
>
> I don't suppose you're getting bitten by:
>
> "The fwd action does not change the contents of the packet at
> all. In particular, the destination address remains
> unmodified, so packets forwarded to another system will usually
> be rejected by that system unless there is a matching rule on
> that system to capture them."
>
> The ipfw(8) man page is a little vague with the phrasing "matching
> rule on that system to capture them". Normally systems don't process
> packets locally that are not destined for it. You can use tcpdump on
> the remote box to verify for yourself that the fwd is working correctly
> and that the remote box is receiving the packets. The remote box just
> doesn't know what to do with the packets it is receiving.
I never even saw this before in the man page... I'll have to look a bit
closer. I did check prior to posting (sorry, I should have mentioned), no
packets are picked up on the host that I forward to...
Is there any other ways to accomplish this?? natd???? I want to try and
stay away from natd, because if I do this with NATD, there's going to be
allot of other issues I need fix as well.....
--
Chris
More information about the freebsd-ipfw
mailing list