Firewall redirect doesn't work any more...

Max Laier max at love2party.net
Fri Sep 19 13:38:07 UTC 2008 

On Friday 19 September 2008 14:16:02 Pawel Jakub Dawidek wrote:
> On Fri, Sep 19, 2008 at 09:56:33AM +0200, Pawel Jakub Dawidek wrote:
> > ...or am I missing something?
> >
> > I've a box running:
> >
> > FreeBSD whiplash.wheel.pl 7.0-STABLE FreeBSD 7.0-STABLE #0: Wed Jul 23
> > 11:41:31 CEST 2008 root at puppet.wheel.pl:/usr/obj/usr/src/sys/WHIPLASH 
> > i386
> >
> > I'm also running PF in there with the following rule:
> >
> > rdr on fxp0 proto tcp from 10.0.1.9 to 10.0.0.2 port 88 -> 10.0.5.123
> > port 88
> >
> > When I connect from 10.0.1.9 to 10.0.0.2:88 I can see redirected packet
> > leaving the box:
> >
> > IP 10.0.1.9.43210 > 10.0.0.2.88: S [...]
> > IP 10.0.1.9.43210 > 10.0.5.123.88: S [...]
> >
> > Ok. Now I've a box running:
> >
> > FreeBSD bridge.wheel.pl 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #1: Thu Sep
> > 11 13:59:06 CEST 2008 root at bridge.wheel.pl:/usr/obj/usr/src/sys/BRIDGE 
> > i386
> >
> > And the following PF rule:
> >
> > rdr on fxp0 proto tcp from 10.0.0.2 to 10.0.5.123 port 88 -> 10.0.1.9
> > port 88
> >
> > When I connect from 10.0.0.2 to 10.0.5.123:88 I no longer see redirected
> > packet leaving the box:
> >
> > IP 10.0.0.2.60806 > 10.0.5.123.88: S [...]
> >
> > I tried to redirect packet on the second box with IPFW, but also failed
> > (yes IPFIREWALL_FORWARD was compiled in).
> >
> > Does something got broken or am I missing some configuration hint?
>
> I downgraded to 7.0-RELEASE and the problem was still there, but I found
> a work-around - one needs to set net.inet.ip.forwarding to 1, even
> though packet is not forwarded between interfaces (everything is related
> to fxp0 only).

I might be wrong, but I don't think we ever supported rdr without 
net.inet.ip.forwarding enabled.  Maybe to a different local address, but even 
then you'd need net.inet.ip.check_interface=0.  Looking at the code, I don't 
see where IPFW forwarding fails (as it has its own ip_forward() call), though.

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

More information about the freebsd-net mailing list