forwarding http requests with ipfw
Robert Collins
rcollins at hwi.buffalo.edu
Sat Dec 31 05:33:32 PST 2005
>
> What's happening here is that since the dest address is not changed, the
> packet never leaves the machine with the fwd rule.
>
> If you want to see it, make your fwd rule look like this:
>
> fwd 216.136.204.117 log tcp from any to me dst-port 80
>
> then tail -f /var/log/security when you try to browse to "privatehost".
I was thinking that maybe the packet was never leaving the machine for that
very reason, but then I started to wonder what purpose does
IPFIREWALL_FORWARD_EXTENDED serve. The manpage states:
With the additional option options IPFIREWALL_FORWARD_EXTENDED all
safeguards are removed and it also makes it possible to redirect packets
destined to locally configured IP addresses.
Redirect them where? Just for kicks I tried a little test to see if the
packet was getting handled by the "destination address". I did a "sshd -p
80", and wasn't able to connect to sshd. On the other hand, I was able to
connect by doing a "sshd -p 81". So they aren't being "redirected" to the
destination address. They aren't being redirected to the source address and
they aren't going to lo0. So where are they being "redirected" to? Which is
why I figured I was doing something wrong. If it's true that the packets
never leave the machine, then what is the purpose of
IPFIREWALL_FORWARD_EXTENDED? What's an example of a use for it?
ipfw fwd <address> log doesn't help with my understanding of what is going
on. I also tried logging my match-all rule. Nothing there either. The packet
comes in, matches the fwd rule and disappears.
thanks
-rcollins
More information about the freebsd-questions
mailing list