Firewall redirect doesn't work any more...

Mon Sep 22 13:48:33 UTC 2008

On Mon, Sep 22, 2008 at 05:31:08PM +0400, Roman Kurakin wrote:
> So, could you draw you connections and related firewall rules. And the 
> one you
> are trying to setup. I will also try to update the machine to the most 
> recent 7 to
> see if my setup will stop working. Currently machine runs early 
> September checkout.

client (10.0.1.1) -----> bridge (10.0.5.123) -----> server (10.0.0.2) 

ifnet = "bridge0"
rdr on $ifnet proto tcp from any to any port 12345 -> 10.0.5.123 port 12345
rdr on $ifnet proto udp from any to any port 12345 -> 10.0.5.123 port 12345

net.inet.ip.forwarding=1

To test my redirection I run:

server# nc -u -l 12345
client# nc -u 10.0.0.2 12345

For UDP it works, for TCP it doesn't:

server# nc -l 12345
client# nc 10.0.0.2 12345

Although it works even with bridge0 and TCP connections, but when bridge
machine is treated as gateway, eg.

server# nc -l 12345
client# route add 1.0.0.0/24 10.0.5.123
client# nc 10.0.0.2 12345

> PS. Also check the mac address issue that was discussed here (case where the
> brdige0 and the first bridge member share the same MAC).

That's not the case on my test machines.

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20080922/4276b3d9/attachment.pgp