From owner-freebsd-ipfw Fri Aug 2 23:35: 7 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40D3E37B401 for ; Fri, 2 Aug 2002 23:35:01 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94A6B43E42 for ; Fri, 2 Aug 2002 23:35:00 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020803063459.TNAI221.sccrmhc02.attbi.com@blossom.cjclark.org>; Sat, 3 Aug 2002 06:34:59 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g736YwJK048071; Fri, 2 Aug 2002 23:34:59 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g736YwcU048070; Fri, 2 Aug 2002 23:34:58 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Fri, 2 Aug 2002 23:34:57 -0700 From: "Crist J. Clark" To: Matt Abraham Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: "ipfw fwd" not working without static route? Message-ID: <20020803063457.GB47529@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020801231035.B31318@rfc-networks.ie> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Aug 02, 2002 at 09:53:28AM -0400, Matt Abraham wrote: > On Thu, 1 Aug 2002 23:10:35 +0000 > Philip Reynolds wrote: > > Matt Abraham 21 lines of wisdom > > included: > > > I'm trying to forward all packets from a privately > > addressed > > > machine (172.17.1.5) to a gateway via a FreeBSD box > > running > > > ipfw. Here's the ipfw directive: > > > > > > fwd 192.168.215.15 log logamount 10000 ip from > > 172.17.1.5 to > > > any > > > > > > Now when I ping public address a.b.c.d from 172.17.1.5, > > I > > > get a "Destination Host Unreachable." When I try to > > ping > > > this same address from the FreeBSD box, I get a "No > > route to > > > host" message. Adding a static route, however, solves > > the > > > problem: > > > > > > route add -net a.b.c.d 192.169.215.15 > > > > > > ...so now I can ping from both 172.17.1.5 and my > > FreeBSD > > > firewall! Of course, having to add routes, sort of > > defeats > > > the ipfw fwd command, doesn't it? [snip] > Now the use of static routes become problematic because the > route now only applies to packets that match a certain > criteria, namely having a source address of 172.17.1.5. If I > modify the netmasks on the box (and not use ipfw fwd), I > change the behaviour for all packets coming through...not > what I want to do. I believe you can do what you want to do. The 'fwd' directive will override the routing for a packet, BUT there must be a valid route for the packet too. The issue is where ipfw(8) and the routing decision occur in the network stack. The routing decision is made before the packet gets sent to ipfw(8). Since there is no route for the packet, the kernel gives the 'no route to host.' The 'fwd' routing would have later clobbered the original routing choice, but you need to have a route before you get this far. You can just add a bogus route (e.g. default route that goes anywhere as long as it leaves the machine), and your 'fwd' should work how you want. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message