Portforwarding - still the same issue

Julian Elischer julian at elischer.org
Mon Oct 27 16:33:16 UTC 2008 

Leander S. wrote:
> Roman Kurakin schrieb:
>> John Hay wrote:
>>> On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote:
>>>  
>>>> Hi,
>>>>
>>>> I'm trying to set up something like a HotSpot. Goal is it to force 
>>>> unregistred users to get redirected to the Captive Portalsite where 
>>>> they'll be able to agree my licence therms and get some information 
>>>> ... etc. ...
>>>>
>>>> So fact is I need an IPFW rule which forwards Port 80,443,8080 
>>>> Traffic to another Port i.e. 8080 --> where my Apache will already 
>>>> wait for serving the Captive Portalsite back to the request.
>>>>
>>>> So I did read the man and saw something like the fwd rule and the 
>>>> Kernel Option for it - so I added the option - rcompiled the Kernel 
>>>> and gave my Firewall the following fwd rule in an extra script:
>>>>
>>>>       ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any 
>>>> 80,443,8080 in via ${LAN_if}
>>>>     
>> Try to make the rule stateful, eq add 'setup keep-state'. Also add 
>> some logging in the rule
>> and add the last one additional deny with the logging.
> Oh-oh ...  Can't log right now - have to recompile the kernel before ... 
> sry.
>>> You have to catch it where it is going out and not in. Fwd only works
>>> when packets are out bound.

I think you can forward an incoming packet out again..
I am sure I have done that.

> I don't think so ?! And what sence would it make? Because think twice 
> ... I want to fwd incoming HTTP:80 packages to make them look like 
> HTTP:8080 packages ... the outgoing ones are uninteresting because it's 
> apache's job to send back Websitedata on port 8080 where it's listening 
> anyway.
>>>   
>> But how this works for me?
>>
>> ipfw  fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24 
>> to 172.22.4.254 dst-port 3128 setup in via vr0 keep-state
>>
>> rik
>>> John
>>>  
> I tried:
> 
> [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me dst-port 80 setup 
> in via ath0 keep-state
> 
> as well as this one too:
> 
> [...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me src-port 80 
> dst-port 8080 setup in via ath0 keep-state
> 
> ^^
> But sadly without success - "root$  ipfw show" doesn't even show me at 
> least one package going through .... not even blocked ones ... 0 0    ;-)
> 
> 

what version of FreeBSD..
forwarding was crippled in an early 6.x revision I think.
you needed to ad another option as well.

> 
> 
> But here is my szenario again:
> 
> 127.0.0.1 is my FreeBSDMashine wehre IPFW acts and Apache22 Listens on 
> port 8080.
> 
> 192.1.1.0/24 is the ath0 Interface where Wirlessclients will try to 
> klick http://google:80 BUT accidently should be fwded & run into my 
> PortalSite:8080
> 192.1.1.1 is the Interfaces IP Adress. 192.1.1.1:8080 would you also 
> bring as well as 127.0.0.1:8080 to the portalsite.
> 
> 
> Regards,
> 
> Leander
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"

More information about the freebsd-ipfw mailing list