ipfw fwd problem - FreeBSD 5.3

Aragon Gouveia aragon at phat.za.net
Mon Feb 21 14:36:28 GMT 2005 

Hi,

I'm running a 5.3 gateway/proxy.  To it is connected an ADSL modem with the
5.3 box performing the PPPoE, as well as a cisco router on another ethernet
interface.

My default route is out the ADSL line (tun0), but I need to be able to
forward packets matched on the basis of destination port to the cisco
router.

I've been doing this for over a year using ipfw fwd.  However, I recently
upgraded from 4.7 to 5.3 and since then my ruleset no longer works.  I've
torn the ruleset down to just basic divert and fwd rules and just can't seem
to get it behaving as it did before.

My internal LAN interface is rl0.
Interface to cisco router [9.9.9.9] is vx0 [8.8.8.8].
ADSL is connected to rl0, but after PPPoE encap it's tun0.

My rules:

150  divert 8668 tcp from 192.168.0.2 to any dst-port 22 out recv rl0
160  count log tcp from any to 1.2.3.4 dst-port 22
200  fwd log 9.9.9.9 tcp from 8.8.8.8 to any dst-port 22
210  count log tcp from any to 1.2.3.4 dst-port 22


When I ssh from 192.168.0.2 to 1.2.3.4 this is what is logged:


Feb 21 16:39:57 <security.info> draper kernel: ipfw: 160 Count TCP 192.168.0.2:1604 1.2.3.4:22 in via rl0
Feb 21 16:39:57 <security.info> draper kernel: ipfw: 210 Count TCP 192.168.0.2:1604 1.2.3.4:22 in via rl0
Feb 21 16:39:57 <security.info> draper kernel: ipfw: 160 Count TCP 8.8.8.8:1604 1.2.3.4:22 out via tun0
Feb 21 16:39:57 <security.info> draper kernel: ipfw: 200 Forward to 9.9.9.9 TCP 8.8.8.8:1604 1.2.3.4:22 out via tun0
Feb 21 16:39:57 <security.info> draper kernel: ipfw: 160 Count TCP 8.8.8.8:1604 1.2.3.4:22 out via tun0
Feb 21 16:39:57 <security.info> draper kernel: ipfw: 200 Forward to 9.9.9.9 TCP 8.8.8.8:1604 1.2.3.4:22 out via tun0


I am running PPP with -nat as well as a natd process.  Any packets that are
routed out the ADSL will have their source address rewritten by PPP.  The
seperate natd process is aliasing for vx0's address of 8.8.8.8.

>From what I can see above, my packets are being rewritten by rule 150 and
they are matching the fwd rule at 200, but they simply aren't being
forwarded as specified in the rule.  Instead they're going via the default
route.  The end result is that the source address is rewritten again by PPP
and, of course, the packet goes out the wrong interface.

Any know what's up with this?


Thanks,
Aragon

More information about the freebsd-questions mailing list