ipfw fwd

Chris Knipe savage at savage.za.org
Thu Feb 10 01:55:23 PST 2005 

>> FreeBSD 4.11-STABLE, running ipfw2.
>>
>> root at wsmd-core02:/home/cknipe# ifconfig vlan1
>> vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1496
>>         inet 198.19.0.33 netmask 0xffffffe0 broadcast 198.19.0.63
>>         ether 00:08:a1:7a:b1:44
>>         media: Ethernet autoselect (100baseTX)
>>         status: active
>>         vlan: 200 parent interface: rl0
>>
>> ipfw2:
>> 00400       0         0 allow tcp from 198.19.0.36 to any dst-port 80
>> 00401      12       652 allow tcp from 198.19.0.35 to any dst-port 25
>> 00402      13       668 fwd 198.19.0.36,3128 tcp from 198.19.0.32/27 to 
>> any
>> dst-port 80
>> 00403       2       120 fwd 198.19.0.35,25 tcp from 198.19.0.32/27 to any
>> dst-port 25
>>
>>
>> However, packets that are forwarded, never connects to the destination 
>> where
>> it is forwarded to.  And yes, I did check the obvious, everything is up 
>> and
>> running....   Is there some sysctl magic or something required to make 
>> this
>> work?  I can fwd without a problem to the SAME BOX, but I cannot seem to 
>> get
>> it to work to fwd to remote machines.  In case someone is wondering, this 
>> is
>> for transparent proxy / smtp servers.
>>
>> --
>> Chris.
>>
>
>  I don't suppose you're getting bitten by:
>
> "The fwd action does not change the contents of the packet at
> all.  In particular, the destination address remains
> unmodified, so packets forwarded to another system will usually
> be rejected by that system unless there is a matching rule on
> that system to capture them."
>
>  The ipfw(8) man page is a little vague with the phrasing "matching
> rule on that system to capture them".  Normally systems don't process
> packets locally that are not destined for it.  You can use tcpdump on
> the remote box to verify for yourself that the fwd is working correctly
> and that the remote box is receiving the packets.  The remote box just
> doesn't know what to do with the packets it is receiving.

I never even saw this before in the man page... I'll have to look a bit 
closer.  I did check prior to posting (sorry, I should have mentioned), no 
packets are picked up on the host that I forward to...

Is there any other ways to accomplish this?? natd????  I want to try and 
stay away from natd, because if I do this with NATD, there's going to be 
allot of other issues I need fix as well.....

--
Chris

More information about the freebsd-ipfw mailing list