kern/71230: ipfw fwd on 5.3 always causes EACCES on sendto() - whereas 5.2 worked just fine

Mark Delany cxscf-pvnvk at
Wed Sep 1 01:10:16 PDT 2004

>Number:         71230
>Category:       kern
>Synopsis:       ipfw fwd on 5.3 always causes EACCES on sendto() - whereas 5.2 worked just fine
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 01 08:10:15 GMT 2004
>Originator:     Mark Delany
>Release:        5.3-BETA2
reeBSD 5.3-BETA2 FreeBSD 5.3-BETA2 #4: Sun Aug 29 08:48:14 PDT 2004     root at  i386

I have a firewall system with two interfaces to the internet via two ISPs. As a kindaof hack I used the ipfw fwd rules to force packets out the interface that matched their source address. In effect over-riding the default route.

If interface A: has an address of and a forwarding router of and interface B has an address of with a forwarding router of, and interface A has the default route,  I created ipfw rules along the lines of:

fwd ip from to any via B

In effect, intercepting a packet going out the default route and fwding it via the non-default route.

Sorry about the vagueness, the actually application is aiming natd at the non-default route.

In any event, this crude strategy worked just fine with 5.2, but on upgrading to 5.3, all packets that hit the fwd rule are returning EACCES to the sending process.

On a box with two interfaces, do the following:

a) Configure interface A: to
b) Configure interface B to
c) Set the default route to be, ie, interface A
d) ipfw fwd ip from to any via A

e) Write or run a program that binds to an interface B address and send a packet to some random external address, say,

The point about e) is that you are binding to the non-default-route address.
The point about d) is that you are catching default-route traffic and forwarding it down another pipe.

This represents my scenario, but quite possibly any ipfw fwd rule will produce the same result. Namely that the application that does a sendto() that hits a fwd rule gets EACCES.


More information about the freebsd-bugs mailing list