RELENG_5 ipfw problem

Oliver Brandmueller ob at e-Gitt.NET
Mon Aug 30 03:32:19 PDT 2004


On Fri, Aug 27, 2004 at 05:28:07PM +0200, Andre Oppermann wrote:
> It detects a missing dummynet because it has to pass on configuration
> options to dummynet and it can only do that if dummynet is loaded.  For
> FORWARD this is not the case.  Here the ipfw code just tags the packet
> for later treatment.  And that later treatment is scattered through a
> few places where we have to inspect each packet it carries this tag.
> >- How to enable it?
> Put "option IPFIREWALL_FORWARD" into your kernel configuration file and
> recompile.

I do now have IPFIREWALL and IPFIREWALL_FORWARD in the kernel and am not 
loading it as a module anymore. The dmesg now states:

ipfw2 initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled

OK, fine. But  do still have a problem:

The rule is loaded an matched. Instead of just dropping the packet (as 
before, when rule based forwarding was disabled) the pakets are now 
accepted, but the forwarding does not work:

00200 fwd tcp from 25 to 213.XXX.XXX.0/24

Is still see this on em0 (the public interface in the destination 
network metioned in rule 200):

12:26:09.674295 IP > 213.XXX.XXX.XXX.41424: S 
	3583621218:3583621218(0) ack 3993419222 win 65535 <mss 1460>

# ipfw show
00200   2694   118536 fwd tcp from 25 to 213.XXX.XXX.0/24

packets are accepted, but not forwarded. Can anyone else reproduce this?

- Oliver

| Oliver Brandmueller | Offenbacher Str. 1  | Germany       D-14197 Berlin |
| Fon +49-172-3130856 | Fax +49-172-3145027 | WWW: |
|               Ich bin das Internet. Sowahr ich Gott helfe.               |
| Eine gewerbliche Nutzung aller enthaltenen Adressen ist nicht gestattet! |

More information about the freebsd-current mailing list