Firewall redirect doesn't work any more...
Pawel Jakub Dawidek
pjd at FreeBSD.org
Mon Sep 22 14:24:53 UTC 2008
On Mon, Sep 22, 2008 at 06:11:35PM +0400, Roman Kurakin wrote:
> Pawel Jakub Dawidek wrote:
> >On Mon, Sep 22, 2008 at 05:31:08PM +0400, Roman Kurakin wrote:
> >
> >>So, could you draw you connections and related firewall rules. And the
> >>one you
> >>are trying to setup. I will also try to update the machine to the most
> >>recent 7 to
> >>see if my setup will stop working. Currently machine runs early
> >>September checkout.
> >>
> >
> >client (10.0.1.1) -----> bridge (10.0.5.123) -----> server (10.0.0.2)
> >
> >ifnet = "bridge0"
> >rdr on $ifnet proto tcp from any to any port 12345 -> 10.0.5.123 port 12345
> >rdr on $ifnet proto udp from any to any port 12345 -> 10.0.5.123 port 12345
> >
> Try also to play with stateful switches for pf. [...]
Adding the following made even UDP non-working:
pass in on $ifnet proto udp from any to any keep state
For TCP there was no difference.
> [...] By the way do you have
> any global that affects
> defaults?
Besides net.inet.ip.forwarding=1, no, although I tried various
settings for net.link.bridge.*.
> >Although it works even with bridge0 and TCP connections, but when bridge
> >machine is treated as gateway, eg.
> >
> >server# nc -l 12345
> >client# route add 1.0.0.0/24 10.0.5.123
> >client# nc 10.0.0.2 12345
> >
> And what about ipfw variant?
For the first (bridge) case ipfw didn't work at all. No packets were
redirected. I haven't tried for the gateway case, because pf works
there.
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd at FreeBSD.org http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20080922/6d40e826/attachment.pgp
More information about the freebsd-net
mailing list