ipfw forwarding doesn't work - for more than 2 months. ---
please help
Sepherosa Ziehau
sepherosa at gmail.com
Wed Nov 28 01:46:52 PST 2007
On Nov 28, 2007 4:51 PM, Sam Wun <swun2010 at gmail.com> wrote:
> On Nov 28, 2007 7:45 PM, Sepherosa Ziehau <sepherosa at gmail.com> wrote:
> > On Nov 28, 2007 4:21 PM, Sam Wun <swun2010 at gmail.com> wrote:
> > > On Nov 28, 2007 5:12 PM, Sepherosa Ziehau <sepherosa at gmail.com> wrote:
> > > > On Nov 28, 2007 12:18 PM, Sam Wun <swun2010 at gmail.com> wrote:
> > > > > I have read the manpages and freebsd handbook more than 20 tiems.
> > > >
> > > > Oh? Then I think you must have read this in ipfw manpage:
> > > > ...
> > > > The fwd action does not change the contents of the packet at all. In
> > > > particular, the destination address remains unmodified, so packets
> > > > forwarded to another system will usually be rejected by that system
> > > > unless there is a matching rule on that system to capture them.
> > > > ...
> > > >
> > > OK, I mis-read that. is that mean I need to implement a rule in the
> > > internal web server?
> >
> > IMHO, what you need is a divert rule and natd on 6, or try 7's ipfw
> > with the in-kernel NAT.
> >
> Can you suggest where I can add a new divert rule in my current ipfw rule set?
> belmore# ipfw list
> 00001 allow udp from any to any dst-port 500
> 00001 allow esp from any to any
> 00001 allow esp from any to any
> 00001 allow ipencap from any to any
> 00001 allow ipencap from any to any
Following three rules are not necessary. Depending on your need, you
may also want to reconstruct the rules after the divert one.
> 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in
> 00040 allow tcp from any to 220.233.24.213 dst-port 80 in
> 00041 allow tcp from 192.168.1.222 to any out
> 00050 divert 8668 ip4 from any to any via tun0
> 00100 allow ip from any to any via lo0
> 00150 allow ip from any to any via rl1
> 00200 deny ip from any to 127.0.0.0/8
> 00250 allow ip from any to any via lo0
> 00300 deny ip from 127.0.0.0/8 to any
> 00350 allow ip from any to any via gif* keep-state
> 00450 allow udp from any to any dst-port 53 in keep-state
> 00550 allow tcp from any to any dst-port 22 in keep-state
> 00650 allow udp from any to any dst-port 1080-60000 in setup keep-state
> 00750 allow tcp from any to any dst-port 1080-60000 in keep-state
> 00850 allow tcp from any to 220.233.24.213 dst-port 80 in via tun0
> setup keep-state
> 00950 allow tcp from 220.233.24.213 to any out via tun0 setup keep-state
> 01050 allow tcp from any to any out keep-state
> 65000 allow ip from any to any
> 65535 allow ip from any to any
>
> Here is the current rc.conf:
> natd_program="/sbin/natd"
> natd_enable="yes"
> natd_interface="tun0" # interface name of public Internet NIC
> natd_flags="-dynamic -m" # -m = preserve port numbers if possible
> #natd_flags="-f /etc/natd.conf"
>
> and the content of natd.conf:
> belmore# cat natd.conf
> dynamic yes
> redirect_port tcp 192.168.1.222:80 80
>
> Thanks
>
> S
> > Best Regards,
> > sephe
> >
> >
> > > I t hink I just need to install rinet in this freebsd router for the
> > > port forwarding.
> > >
> > > Thanks
> > >
> > >
> > > > Best Regards,
> > > > sephe
> > > >
> > > >
> > > > >
> > > > >
> > > > >
> > > > > On Nov 28, 2007 2:40 PM, Sepherosa Ziehau <sepherosa at gmail.com> wrote:
> > > > > > On Nov 28, 2007 10:03 AM, Sam Wun <swun2010 at gmail.com> wrote:
> > > > > > > Hi,
> > > > > > >
> > > > > > > I setup the following ipfw rules in freebsd 6.2:
> > > > > > > belmore# ipfw list
> > > > > > > 00001 allow udp from any to any dst-port 500
> > > > > > > 00001 allow esp from any to any
> > > > > > > 00001 allow esp from any to any
> > > > > > > 00001 allow ipencap from any to any
> > > > > > > 00001 allow ipencap from any to any
> > > > > > > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in
> > > > > >
> > > > > > I don't think this does the rdr you intended. Please take a look at
> > > > > > ipfw manpage.
> > > > > >
> > > > > > Best Regards,
> > > > > > sephe
> > > > > >
> > > > > > > I don't know what is wrong that the freebsd server (6.2) can't
> > > > > > > redirect/forward http request to an internal server (web server -
> > > > > > > 192.168.1.222).
> > > > > > >
> > > > > > > Can anyone please give suggestion to modify this rules?
> > > > > > > Or can you please post your workable ipfw rules that achieved the same goal?
> > > > > > >
> > > > > > > Thanks
> > > > > > > S
> > > > > > > _______________________________________________
> > > > > > > freebsd-ipfw at freebsd.org mailing list
> > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > > > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Live Free or Die
> > > > > > _______________________________________________
> > > > > > freebsd-ipfw at freebsd.org mailing list
> > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Live Free or Die
> > > >
> > >
> >
> >
> >
> > --
> > Live Free or Die
> >
>
--
Live Free or Die
More information about the freebsd-ipfw
mailing list