rdr not working for transparent http - 5.4-stable

Giovanni P. Tirloni gpt at tirloni.org
Sun Jul 31 01:49:02 GMT 2005


Abu Khaled wrote:
> On 7/30/05, Giovanni P. Tirloni <gpt at tirloni.org> wrote:
> 
>>Giovanni P. Tirloni wrote:
>>
>>>Max Laier wrote:
>>>
>>>
>>>>One thing comes to my mind: What does
>>>>    $sysctl net.inet.ip.forwarding
>>>>say?
>>>
>>>
>>># sysctl net.inet.ip.forwarding
>>>net.inet.ip.forwarding: 1
>>>
>>>I had some tweaks in /etc/sysctl but disabling them didn't help either.
>>>
>>>#net.inet.ip.check_interface=1
>>>#net.inet.tcp.blackhole=2
>>>#net.inet.udp.blackhole=1
>>>
>>
>>  I forgot to mention this box had ipfw+dummnyet (with two queues)
>>activated. I disabled ipfw in the kernel and pf rdr worked again! Just
>>removing the ipfw rules didn't work.
>>
>>  Weird enough, I don't have dummynet on the other 2 machines that have
>>the same problem. But ipfw is compiled in but disabled.
>>
>>  I'll try to disable ipfw on the other boxes and see what happens there
>>to confirm this.
> 
> 
> If ipfw is compiled in the kernel and it defaults to deny all, then
> you need to add rules for ipfw to allow connections to and from
> localhost (127.0.0.1 and port 3128). Otherwise ipfw well drop 'pf rdr
> traffic'.
> 
> # ipfw add allow tcp from $lan_net to 127.0.0.1 3128
> # ipfw add allow tcp from 127.0.0.1 3128 to $lan_net
> 
> Put the rules before any anti spoofing rules in ipfw.
> 

  I think there's something in the code that makes it not work because I 
set ipfw to accept by default on every machine I have. There must be 
something else.

-- 
Giovanni P. Tirloni / gpt at tirloni.org / PGP: 0xD0315C26


More information about the freebsd-pf mailing list