forwarding http requests with ipfw
Glenn Dawson
glenn at antimatter.net
Fri Dec 30 22:52:22 PST 2005
At 10:34 PM 12/30/2005, Robert Collins wrote:
>>At 09:07 PM 12/30/2005, Robert Collins wrote:
>>>I've got a situation where I've got an internal host using a
>>>private ip/domainname. Let's say for the sake of this discussion
>>>the host is privatehost.internal.freebsd.org. privatehost isn't
>>>running a webserver. But I would like machines on the
>>>internal.freebsd.org network to query privatehost as if it was.
>>>When one of these machines queries privatehost I would like
>>>privatehost to forward those requests to my webserver,
>>>www.freebsd.org, so that it can handle the request. In order to
>>>accomplish that I have done the following:
>>>
>>>My kernel was compiled with these options:
>>>options IPFIREWALL
>>>options IPFIREWALL_FORWARD
>>>options IPFIREWALL_FORWARD_EXTENDED
>>>
>>>
>>>"ipfw list" looks like this:
>>>00100 allow ip from any to any via lo0
>>>00110 deny ip from any to 127.0.0.0/8
>>>00120 deny ip from 127.0.0.0/8 to any
>>>10000 fwd 216.136.204.117 tcp from any to me dst-port 80
>>>65000 allow ip from any to any
>>>65535 deny ip from any to any
>>>
>>>The problem I am having is that it seems the packets never leave
>>>privatehost. tcpdump shows packets coming in destined for port 80.
>>>"ipfw show" shows that packets are matching my rule, but tcpdump
>>>never shows any packets going out to 216.136.204.117. tcpdump on
>>>216.136.204.117 also shows that no packets are being recieved. I
>>>did a tcpdump on lo0 just for kicks, and that didn't show
>>>anything. It seems as if the packets are just disappearing.
>>>Someone on #freebsdhelp suggested doing a "sysctl -w
>>>net.inet.ip.forwarding=1" but that didn't help the situation. Is
>>>there something minor I'm missing here...or am I totally off in my
>>>understanding of how "ipfw fwd" works?
>>
>>To quote the ipfw man page:
>>
>>"The fwd action does not change the contents of the packet at
>>all. In particular, the destination address remains unmodified, so
>>packets forwarded to another system will usually be rejected by
>>that system unless there is a matching rule on that system to capture them."
>>
>>You probably need to re-think what you are trying to do.
>
>My understanding of this portion of the man page is that the machine
>receiving the packet, in this case www.freebsd.org, needs to be
>prepared to recive a packet whose destination address is not it's
>own. If I am correct in my interpretation then this part of the man
>page is irrelivent to my problem. My question is not, why is
>www.freebsd.org not receiving the packet. My question is, why is
>privatehost.internal.freebsd.org not sending the packet.
What tcpdump rules are you using to look for packets leaving
"privatehost"? Same question for packets arriving at 216.136.204.117?
-Glenn
>_______________________________________________
>freebsd-questions at freebsd.org mailing list
>http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions
mailing list