Date: Mon, 22 Sep 2008 01:04:19 +0400 From: Roman Kurakin <rik@inse.ru> To: Pawel Jakub Dawidek <pjd@FreeBSD.org> Cc: freebsd-net@FreeBSD.org Subject: Re: Firewall redirect doesn't work any more... Message-ID: <48D6B6D3.7000306@localhost.inse.ru> In-Reply-To: <20080919075633.GA4333@garage.freebsd.pl> References: <20080919075633.GA4333@garage.freebsd.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
Pawel Jakub Dawidek wrote: > ...or am I missing something? > > I've a box running: > > FreeBSD whiplash.wheel.pl 7.0-STABLE FreeBSD 7.0-STABLE #0: Wed Jul 23 11:41:31 CEST 2008 root@puppet.wheel.pl:/usr/obj/usr/src/sys/WHIPLASH i386 > > I'm also running PF in there with the following rule: > > rdr on fxp0 proto tcp from 10.0.1.9 to 10.0.0.2 port 88 -> 10.0.5.123 port 88 > > When I connect from 10.0.1.9 to 10.0.0.2:88 I can see redirected packet > leaving the box: > > IP 10.0.1.9.43210 > 10.0.0.2.88: S [...] > IP 10.0.1.9.43210 > 10.0.5.123.88: S [...] > > Ok. Now I've a box running: > > FreeBSD bridge.wheel.pl 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #1: Thu Sep 11 13:59:06 CEST 2008 root@bridge.wheel.pl:/usr/obj/usr/src/sys/BRIDGE i386 > > And the following PF rule: > > rdr on fxp0 proto tcp from 10.0.0.2 to 10.0.5.123 port 88 -> 10.0.1.9 port 88 > > When I connect from 10.0.0.2 to 10.0.5.123:88 I no longer see redirected > packet leaving the box: > > IP 10.0.0.2.60806 > 10.0.5.123.88: S [...] > > I tried to redirect packet on the second box with IPFW, but also failed > (yes IPFIREWALL_FORWARD was compiled in). > > Does something got broken or am I missing some configuration hint? > Could it be that the box you are trying to connect from is the 10.0.0.2? If this is the case, then the problem is that the rule rdr is works only for packet which hits the interface from outside, eq interface should be incoming for packets not outgoing on which the rule is set . rik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48D6B6D3.7000306>