Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 15 Feb 2002 18:09:51 -0500
From:      "Michael R. Wayne" <wayne@staff.msen.com>
To:        freebsd-hackers@FreeBSD.ORG
Subject:   Odd ipfw behaviour
Message-ID:  <200202152309.SAA00831@manor.msen.com>
next in thread | raw e-mail | index | archive | help 

ipfw seems to be confused about where to forward packets if no
interface is specifically mentioned.  Before I file a PR
on it, I'd like someone who is more familiar with how ipfw 
operates to quickly look over my findings.

Test setup, showing 2 ethernets with 2 FreeBSD boxes and another
machine running netscape

+-------Netscape		BROWSERbox
+-------squid			SQUIDbox
+-------4.5 Release------+	ProxyFirewall
            router-------+
	      |
	    internet

The internal net on ProxyFirewall is fxp1, external net is fxp0.
All devices have real IP addresses and correct netmasks NAT is not
involved.

Using this ipfw rule on ProxyFirewall:
   fwd $(squid-box) log tcp from $(windows-box) to any 80 
and checking the logs on ProxyFirewall, I see this horrible mess:

ipfw: 11005 Forward to SQUIDbox TCP BROWSERbox:1631 216.136.204.21:80 in via fxp1
ipfw: 11005 Forward to SQUIDbox TCP BROWSERbox:1631 216.136.204.21:80 out via fxp0	<---!!!
ipfw: 11005 Forward to SQUIDbox TCP BROWSERbox:1631 216.136.204.21:80 in via fxp1
ipfw: 11005 Forward to SQUIDbox TCP BROWSERbox:1631 216.136.204.21:80 out via fxp1
ipfw: 60000 Deny ICMP:5.1 ProxyFirewall BROWSERbox out via fxp1
ipfw: 60000 Deny ICMP:5.1 ProxyFirewall SQUIDbox out via fxp1
last message repeated 31 times

This, of course, causes terrible performance as the packets destined
for the local net bounce out the default interface.  It can be
corrected by specifying an interface in the fwd rule:
   fwd $(squid-box) log tcp from $(windows-box) to any 80 via fxp1

Is it expected behaviour for ipfw to disregard routing and put
packets out on interfaces where they have no chance of being properly
delivered (which would be odd) or is this a bug?

/\/\ \/\/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200202152309.SAA00831>