From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 9 10:20:15 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DAD5E1065677 for ; Mon, 9 Jun 2008 10:20:15 +0000 (UTC) (envelope-from fazaeli@sepehrs.com) Received: from sepehrs.com (sepehrs.com [213.217.59.98]) by mx1.freebsd.org (Postfix) with ESMTP id EF3F78FC0A for ; Mon, 9 Jun 2008 10:20:14 +0000 (UTC) (envelope-from fazaeli@sepehrs.com) Received: from [192.168.1.180] ([192.168.1.180]) by sepehrs.com (8.13.6/8.13.6) with ESMTP id m59Dp8T0042910; Mon, 9 Jun 2008 13:51:09 GMT (envelope-from fazaeli@sepehrs.com) Message-ID: <484D0256.6000108@sepehrs.com> Date: Mon, 09 Jun 2008 14:43:42 +0430 From: "H.fazaeli" User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) MIME-Version: 1.0 To: David Martens References: <2D6927C5-B7C7-454B-83E0-FAD76878356C@fresnochristian.com> <4847B603.6080105@sepehrs.com> <5ADDFC1B-9902-46FB-8C0A-AD153E0B3D30@fresnochristian.com> In-Reply-To: <5ADDFC1B-9902-46FB-8C0A-AD153E0B3D30@fresnochristian.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Sepehr-MailScanner-Information: Please contact the ISP for more information X-Sepehr-MailScanner: Found to be clean X-Sepehr-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-3.921, required 5, autolearn=not spam, ALL_TRUSTED -1.80, BAYES_00 -2.60, DATE_IN_PAST_03_06 0.48) X-MailScanner-From: fazaeli@sepehrs.com X-Spam-Status: No Cc: freebsd-ipfw@freebsd.org Subject: Re: fwd problem X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Jun 2008 10:20:15 -0000 . on gateway, place fwd rule before divert. . run tcpdump & 'ipfw -a list' on __proxy__ and see if packets really reach the proxy/squid or not. . A network diagram would be helpful in the case the problem still persist. David Martens wrote: > I've taken H.Fazaeli's suggestion and moved the proxy to the same > class C as the gateway with no change. > > So now my rule set on the gateway is: > > 00100 allow ip from any to any via lo0 > 00110 deny ip from any to 127.0.0.0/8 via en0 > 00800 divert 8668 ip from any to any via en0 > 00850 deny ip from any to any in frag > 00890 allow ip from any to 192.168.0.2 > 00990 fwd 192.168.0.2 tcp from 192.168.1.60 to any 80 > > > And on the proxy: > > 00080 allow tcp from any to any out > 00100 fwd 127.0.0.1,8082 tcp from 192.168.1.60 to any dst-port 80 > > > For testing purposes I've set the forward to only a single ip > address. Eventually this will be set to the entire /22 subnet. > > A tcpdump on the LAN interface on the gateway indicates traffic from > 192.168.1.60 & and fwd rule increments, but the packets don't make it > to the proxy. They are not dropped, the requested web pages load fine > in the browser, just no proxy. > > > > > On Jun 5, 2008, at 2:46 AM, H.fazaeli wrote: > >> >> This is what is happening: >> >> 1. Client's packet match with fwd rule on gateway. >> 2. gateway tries to fwd packet to 192.168.3.2. For this, it should >> replace >> destination mac address with that of proxy (192.168.3.22). >> 3. gateway fails to obtain proxy mac address, since it is not on the >> same >> subnet as proxy (can not use arp). >> 4. fwd rule drops the packet. >> >> FIX: assign a 192.168.3.XXX address to the gateway's interface >> which proxy is supposed to be reachable from. >> >> >> >> David Martens wrote: >>> I'm trying to set up a transparent proxy using two machines, the >>> gateway and the proxy. The proxy is 192.168.3.22 and is listening >>> on port 8082. The gateway is 192.168.0.1, subnet is 255.255.252.0 >>> so everything is on the same subnet. >>> >>> I set the following rules on the gateway: >>> >>> 00100 allow ip from any to any via lo0 >>> 00110 deny ip from any to 127.0.0.0/8 via en0 >>> 00800 divert 8668 ip from any to any via en0 >>> 00850 deny ip from any to any in frag >>> 00990 fwd 192.168.3.22 tcp from 192.168.1.0/24 to any 80 >>> >>> When I get a packet count (ipfw -a list) rule 990 increments when I >>> try to access a web page. >>> >>> On the proxy box I have the following rules: >>> >>> 00100 allow tcp from 192.168.3.22 to any >>> 00110 fwd 127.0.0.1,8082 tcp from 192.168.0.1/22 to any dst-port 80 >>> >>> rule 110 never receives any forwarded packets. Any ideas what I've >>> done wrong here? The http requests do go out, but are not forwarded >>> through the proxy. >>> _______________________________________________ >>> freebsd-ipfw@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >>> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" >>> >>> >> >> -- >> >> >> Best regards. >> >> Hooman Fazaeli >> Sepehr S. T. Co. Ltd. >> >> Web: http://www.sepehrs.com >> Tel: (9821)88975701-2 >> Fax: (9821)88983352 >> >> >> >> >> _______________________________________________ >> freebsd-ipfw@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw >> To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > -- Best regards. Hooman Fazaeli Sepehr S. T. Co. Ltd. Web: http://www.sepehrs.com Tel: (9821)88975701-2 Fax: (9821)88983352