From owner-freebsd-current@FreeBSD.ORG Mon Aug 30 10:32:19 2004 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6851C16A4CE; Mon, 30 Aug 2004 10:32:19 +0000 (GMT) Received: from obh.snafu.de (obh.snafu.de [213.73.92.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F66143D2F; Mon, 30 Aug 2004 10:32:18 +0000 (GMT) (envelope-from ob@gruft.de) Received: from ob by obh.snafu.de with local (Exim 4.34 (FreeBSD)) id 1C1jSS-000NEP-LZ; Mon, 30 Aug 2004 12:32:16 +0200 Date: Mon, 30 Aug 2004 12:32:16 +0200 From: Oliver Brandmueller To: Andre Oppermann Message-ID: <20040830103216.GA51110@e-Gitt.NET> References: <20040827084306.GB74653@e-Gitt.NET> <412F276A.6080807@freebsd.org> <20040827141354.GC74653@e-Gitt.NET> <412F5307.5040005@freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <412F5307.5040005@freebsd.org> User-Agent: Mutt/1.5.6i Sender: Oliver Brandmueller cc: current@freebsd.org Subject: Re: RELENG_5 ipfw problem X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 30 Aug 2004 10:32:19 -0000 Hello. On Fri, Aug 27, 2004 at 05:28:07PM +0200, Andre Oppermann wrote: > It detects a missing dummynet because it has to pass on configuration > options to dummynet and it can only do that if dummynet is loaded. For > FORWARD this is not the case. Here the ipfw code just tags the packet > for later treatment. And that later treatment is scattered through a > few places where we have to inspect each packet it carries this tag. > > >- How to enable it? > > Put "option IPFIREWALL_FORWARD" into your kernel configuration file and > recompile. I do now have IPFIREWALL and IPFIREWALL_FORWARD in the kernel and am not loading it as a module anymore. The dmesg now states: ipfw2 initialized, divert disabled, rule-based forwarding enabled, default to deny, logging disabled OK, fine. But do still have a problem: The rule is loaded an matched. Instead of just dropping the packet (as before, when rule based forwarding was disabled) the pakets are now accepted, but the forwarding does not work: 00200 fwd 192.168.25.1 tcp from 192.168.25.5 25 to 213.XXX.XXX.0/24 Is still see this on em0 (the public interface in the destination network metioned in rule 200): 12:26:09.674295 IP 192.168.25.5.smtp > 213.XXX.XXX.XXX.41424: S 3583621218:3583621218(0) ack 3993419222 win 65535 # ipfw show 00200 2694 118536 fwd 192.168.25.1 tcp from 192.168.25.5 25 to 213.XXX.XXX.0/24 packets are accepted, but not forwarded. Can anyone else reproduce this? - Oliver -- | Oliver Brandmueller | Offenbacher Str. 1 | Germany D-14197 Berlin | | Fon +49-172-3130856 | Fax +49-172-3145027 | WWW: http://the.addict.de/ | | Ich bin das Internet. Sowahr ich Gott helfe. | | Eine gewerbliche Nutzung aller enthaltenen Adressen ist nicht gestattet! |