forwarding http requests with ipfw
Robert Collins
rcollins at hwi.buffalo.edu
Fri Dec 30 23:25:32 PST 2005
----- Original Message -----
From: "Glenn Dawson" <glenn at antimatter.net>
To: "Robert Collins" <rcollins at hwi.buffalo.edu>;
<freebsd-questions at freebsd.org>
Sent: Saturday, December 31, 2005 1:46 AM
Subject: Re: forwarding http requests with ipfw
> At 10:34 PM 12/30/2005, Robert Collins wrote:
>>>At 09:07 PM 12/30/2005, Robert Collins wrote:
>>>>I've got a situation where I've got an internal host using a private
>>>>ip/domainname. Let's say for the sake of this discussion the host is
>>>>privatehost.internal.freebsd.org. privatehost isn't running a webserver.
>>>>But I would like machines on the internal.freebsd.org network to query
>>>>privatehost as if it was. When one of these machines queries privatehost
>>>>I would like privatehost to forward those requests to my webserver,
>>>>www.freebsd.org, so that it can handle the request. In order to
>>>>accomplish that I have done the following:
>>>>
>>>>My kernel was compiled with these options:
>>>>options IPFIREWALL
>>>>options IPFIREWALL_FORWARD
>>>>options IPFIREWALL_FORWARD_EXTENDED
>>>>
>>>>
>>>>"ipfw list" looks like this:
>>>>00100 allow ip from any to any via lo0
>>>>00110 deny ip from any to 127.0.0.0/8
>>>>00120 deny ip from 127.0.0.0/8 to any
>>>>10000 fwd 216.136.204.117 tcp from any to me dst-port 80
>>>>65000 allow ip from any to any
>>>>65535 deny ip from any to any
>>>>
>>>>The problem I am having is that it seems the packets never leave
>>>>privatehost. tcpdump shows packets coming in destined for port 80. "ipfw
>>>>show" shows that packets are matching my rule, but tcpdump never shows
>>>>any packets going out to 216.136.204.117. tcpdump on 216.136.204.117
>>>>also shows that no packets are being recieved. I did a tcpdump on lo0
>>>>just for kicks, and that didn't show anything. It seems as if the
>>>>packets are just disappearing. Someone on #freebsdhelp suggested doing a
>>>>"sysctl -w net.inet.ip.forwarding=1" but that didn't help the situation.
>>>>Is there something minor I'm missing here...or am I totally off in my
>>>>understanding of how "ipfw fwd" works?
>>>
>>>To quote the ipfw man page:
>>>
>>>"The fwd action does not change the contents of the packet at all. In
>>>particular, the destination address remains unmodified, so packets
>>>forwarded to another system will usually be rejected by that system
>>>unless there is a matching rule on that system to capture them."
>>>
>>>You probably need to re-think what you are trying to do.
>>
>>My understanding of this portion of the man page is that the machine
>>receiving the packet, in this case www.freebsd.org, needs to be prepared
>>to recive a packet whose destination address is not it's own. If I am
>>correct in my interpretation then this part of the man page is irrelivent
>>to my problem. My question is not, why is www.freebsd.org not receiving
>>the packet. My question is, why is privatehost.internal.freebsd.org not
>>sending the packet.
>
> What tcpdump rules are you using to look for packets leaving
> "privatehost"? Same question for packets arriving at 216.136.204.117?
>
On both machines I tried "tcpdump -n port 80". "privatehost" says:
02:15:32.542383 IP 10.1.35.10.1732 > 10.1.35.72.80: S
2200576146:2200576146(0) win 65535 <mss 1460,nop,nop,sackOK>
There is no output for 216.136.204.117. I've also tried " tcpdump -n host
216.136.204.117" on privatehost. That rule doesn't produce any output.
-rcollins
More information about the freebsd-questions
mailing list