fwd problem
H.fazaeli
fazaeli at sepehrs.com
Mon Jun 9 10:20:15 UTC 2008
. on gateway, place fwd rule before divert.
. run tcpdump & 'ipfw -a list' on __proxy__ and see if packets really
reach the
proxy/squid or not.
. A network diagram would be helpful in the case the problem still persist.
David Martens wrote:
> I've taken H.Fazaeli's suggestion and moved the proxy to the same
> class C as the gateway with no change.
>
> So now my rule set on the gateway is:
>
> 00100 allow ip from any to any via lo0
> 00110 deny ip from any to 127.0.0.0/8 via en0
> 00800 divert 8668 ip from any to any via en0
> 00850 deny ip from any to any in frag
> 00890 allow ip from any to 192.168.0.2
> 00990 fwd 192.168.0.2 tcp from 192.168.1.60 to any 80
>
>
> And on the proxy:
>
> 00080 allow tcp from any to any out
> 00100 fwd 127.0.0.1,8082 tcp from 192.168.1.60 to any dst-port 80
>
>
> For testing purposes I've set the forward to only a single ip
> address. Eventually this will be set to the entire /22 subnet.
>
> A tcpdump on the LAN interface on the gateway indicates traffic from
> 192.168.1.60 & and fwd rule increments, but the packets don't make it
> to the proxy. They are not dropped, the requested web pages load fine
> in the browser, just no proxy.
>
>
>
>
> On Jun 5, 2008, at 2:46 AM, H.fazaeli wrote:
>
>>
>> This is what is happening:
>>
>> 1. Client's packet match with fwd rule on gateway.
>> 2. gateway tries to fwd packet to 192.168.3.2. For this, it should
>> replace
>> destination mac address with that of proxy (192.168.3.22).
>> 3. gateway fails to obtain proxy mac address, since it is not on the
>> same
>> subnet as proxy (can not use arp).
>> 4. fwd rule drops the packet.
>>
>> FIX: assign a 192.168.3.XXX address to the gateway's interface
>> which proxy is supposed to be reachable from.
>>
>>
>>
>> David Martens wrote:
>>> I'm trying to set up a transparent proxy using two machines, the
>>> gateway and the proxy. The proxy is 192.168.3.22 and is listening
>>> on port 8082. The gateway is 192.168.0.1, subnet is 255.255.252.0
>>> so everything is on the same subnet.
>>>
>>> I set the following rules on the gateway:
>>>
>>> 00100 allow ip from any to any via lo0
>>> 00110 deny ip from any to 127.0.0.0/8 via en0
>>> 00800 divert 8668 ip from any to any via en0
>>> 00850 deny ip from any to any in frag
>>> 00990 fwd 192.168.3.22 tcp from 192.168.1.0/24 to any 80
>>>
>>> When I get a packet count (ipfw -a list) rule 990 increments when I
>>> try to access a web page.
>>>
>>> On the proxy box I have the following rules:
>>>
>>> 00100 allow tcp from 192.168.3.22 to any
>>> 00110 fwd 127.0.0.1,8082 tcp from 192.168.0.1/22 to any dst-port 80
>>>
>>> rule 110 never receives any forwarded packets. Any ideas what I've
>>> done wrong here? The http requests do go out, but are not forwarded
>>> through the proxy.
>>> _______________________________________________
>>> freebsd-ipfw at freebsd.org mailing list
>>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>>>
>>>
>>
>> --
>>
>>
>> Best regards.
>>
>> Hooman Fazaeli <hf at sepehrs.com>
>> Sepehr S. T. Co. Ltd.
>>
>> Web: http://www.sepehrs.com
>> Tel: (9821)88975701-2
>> Fax: (9821)88983352
>>
>>
>>
>>
>> _______________________________________________
>> freebsd-ipfw at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
> _______________________________________________
> freebsd-ipfw at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
>
>
--
Best regards.
Hooman Fazaeli <hf at sepehrs.com>
Sepehr S. T. Co. Ltd.
Web: http://www.sepehrs.com
Tel: (9821)88975701-2
Fax: (9821)88983352
More information about the freebsd-ipfw
mailing list