From owner-freebsd-ipfw@FreeBSD.ORG Mon Nov 26 11:07:00 2007 Return-Path: Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EEE2D16A534 for ; Mon, 26 Nov 2007 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id DAF3613C465 for ; Mon, 26 Nov 2007 11:07:00 +0000 (UTC) (envelope-from owner-bugmaster@FreeBSD.org) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id lAQB7054025463 for ; Mon, 26 Nov 2007 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id lAQB703e025459 for freebsd-ipfw@FreeBSD.org; Mon, 26 Nov 2007 11:07:00 GMT (envelope-from owner-bugmaster@FreeBSD.org) Date: Mon, 26 Nov 2007 11:07:00 GMT Message-Id: <200711261107.lAQB703e025459@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: gnats set sender to owner-bugmaster@FreeBSD.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to freebsd-ipfw@FreeBSD.org X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2007 11:07:01 -0000 Current FreeBSD problem reports Critical problems Serious problems S Tracker Resp. Description -------------------------------------------------------------------------------- o kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules with parent o kern/73910 ipfw [ipfw] serious bug on forwarding of packets after NAT o kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or reported, manp o kern/88659 ipfw [modules] ipfw and ip6fw do not work properly as modul o kern/93300 ipfw [ipfw] ipfw pipe lost packets o kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/via any" (IPFW o kern/97504 ipfw [ipfw] IPFW Rules bug o kern/97951 ipfw [ipfw] [patch] ipfw does not tie interface details to o kern/98831 ipfw [ipfw] ipfw has UDP hickups o kern/102471 ipfw [ipfw] [patch] add tos and dscp support o kern/103454 ipfw [ipfw] [patch] add a facility to modify DF bit of the o kern/106534 ipfw [ipfw] [panic] ipfw + dummynet o kern/112708 ipfw ipfw is seems to be broken to limit number of connecti o kern/117234 ipfw [ipfw] [patch] ipfw send_pkt() and ipfw_tick() don't s 14 problems total. Non-critical problems S Tracker Resp. Description -------------------------------------------------------------------------------- a kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/uid of who cau o kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetime feature o kern/48172 ipfw [ipfw] [patch] ipfw does not log size and flags o bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses ports and port o kern/55984 ipfw [ipfw] [patch] time based firewalling support for ipfw o kern/60719 ipfw [ipfw] Headerless fragments generate cryptic error mes o kern/69963 ipfw [ipfw] install_state warning about already existing en o kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites destination mac a o kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [BYTES]KBytes ( o kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parser error) o bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machine if /etc/rc o kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RULE OPTION o kern/82724 ipfw [ipfw] [patch] Add setnexthop and defaultroute feature o kern/86957 ipfw [ipfw] [patch] ipfw mac logging o kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface implementation o kern/91847 ipfw [ipfw] ipfw with vlanX as the device o kern/103328 ipfw [ipfw] sugestions about ipfw table o kern/104682 ipfw [ipfw] [patch] Some minor language consistency fixes a o bin/104921 ipfw [patch] ipfw(8) sometimes treats ipv6 input as ipv4 (a o kern/105330 ipfw [ipfw] [patch] ipfw (dummynet) does not allow to set q o kern/107305 ipfw [ipfw] ipfw fwd doesn't seem to work o kern/111713 ipfw [dummynet] Too few dummynet queue slots o kern/112561 ipfw [ipfw] ipfw fwd does not work with some TCP packets p kern/113388 ipfw [ipfw][patch] Addition actions with rules within speci o bin/113803 ipfw [patch] bin/ipfw.8 - don't get bitten by the fwd rule o bin/115172 ipfw [patch] ipfw(8) list show some rules with a wrong form p kern/115755 ipfw [ipfw][patch] unify message and add a rule number wher o kern/116009 ipfw [ipfw] [patch] Ignore errors when loading ruleset from 28 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 28 02:29:07 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8ADB16A417 for ; Wed, 28 Nov 2007 02:29:07 +0000 (UTC) (envelope-from swun2010@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.225]) by mx1.freebsd.org (Postfix) with ESMTP id 6A79513C467 for ; Wed, 28 Nov 2007 02:29:07 +0000 (UTC) (envelope-from swun2010@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so880732nzf for ; Tue, 27 Nov 2007 18:29:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; bh=6InKrk6JFmoYL3x7JcIz1qgNEDhsXi+B1p+JDM4U/Uk=; b=hBbVT0MvBfL27snwOih9bOSIFhCoeX35CTZpxr4q1m0MSdRElkGwCE0s1P5phY6/LH4z2/Yjea9f9gJiaGmDrR/sttt206HA+cPPchYXhh4EPrPuIRBrMmigVmZk4I1CEhx7TOcxuTibFmwoa32tzNtrsHcqRHVCZKVqmx1uZ0g= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=DbcdzcO6VQrFDqJH85SIC5CiULikJptzBtDkyif124QxpSEKZPvwlBD4bBcoBKfnR20mUD+5e/+sUvlzBpOx10SZz3ZZXzzWmAuQRvo0oieFUklO3WHQUTAeKrbmGvJCWm/iYBR6mDSvogugOT48yHkZ61PI14/lwNa80VX8kTE= Received: by 10.114.157.1 with SMTP id f1mr32505wae.1196215409932; Tue, 27 Nov 2007 18:03:29 -0800 (PST) Received: by 10.115.17.14 with HTTP; Tue, 27 Nov 2007 18:03:29 -0800 (PST) Message-ID: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com> Date: Wed, 28 Nov 2007 13:03:29 +1100 From: "Sam Wun" To: freebsd-ipfw@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: ipfw forwarding doesn't work - for more than 2 months. --- please help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 02:29:07 -0000 Hi, I setup the following ipfw rules in freebsd 6.2: belmore# ipfw list 00001 allow udp from any to any dst-port 500 00001 allow esp from any to any 00001 allow esp from any to any 00001 allow ipencap from any to any 00001 allow ipencap from any to any 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in 00040 allow tcp from any to 220.233.24.213 dst-port 80 in 00041 allow tcp from 192.168.1.222 to any out 00050 divert 8668 ip4 from any to any via tun0 00100 allow ip from any to any via lo0 00150 allow ip from any to any via rl1 00200 deny ip from any to 127.0.0.0/8 00250 allow ip from any to any via lo0 00300 deny ip from 127.0.0.0/8 to any 00350 allow ip from any to any via gif* keep-state 00450 allow udp from any to any dst-port 53 in keep-state 00550 allow tcp from any to any dst-port 22 in keep-state 00650 allow udp from any to any dst-port 1080-60000 in setup keep-state 00750 allow tcp from any to any dst-port 1080-60000 in keep-state 00850 allow tcp from any to 220.233.24.213 dst-port 80 in via tun0 setup keep-state 00950 allow tcp from 220.233.24.213 to any out via tun0 setup keep-state 01050 allow tcp from any to any out keep-state 65000 allow ip from any to any 65535 allow ip from any to any I don't know what is wrong that the freebsd server (6.2) can't redirect/forward http request to an internal server (web server - 192.168.1.222). Can anyone please give suggestion to modify this rules? Or can you please post your workable ipfw rules that achieved the same goal? Thanks S From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 28 04:09:37 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0540716A418 for ; Wed, 28 Nov 2007 04:09:37 +0000 (UTC) (envelope-from sepherosa@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.245]) by mx1.freebsd.org (Postfix) with ESMTP id B04A913C46A for ; Wed, 28 Nov 2007 04:09:36 +0000 (UTC) (envelope-from sepherosa@gmail.com) Received: by an-out-0708.google.com with SMTP id c14so321535anc for ; Tue, 27 Nov 2007 20:09:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=TEOLf7AKDZWckMQfE18K81g3dy5WFmCHsY9s9T98mUs=; b=tg2cAfaAIOcIXV1fBBDIqrTugnewIrfKGxEteAvnBMIHHREzdaRMDuP///I4if7IQtlT+hd2AE50hDEs9/flj2R4XwlK6th/hprm3y7lsdIwHKRsHkNmX0ZHGOZG6/PYjVheomsIZK2CY3UCeTqZS4siFnaJ8wPeknJV3yReS6w= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=jmKpulyQOUlEC4H3MiuNFYIrBU3kWPS46sC+GXy+B8ryXsGmrHHfHxcx+nqCkoxXDtOT0LuaPb/Ksl9T0SzY3w0TxUnCVgKfQ6yQrB+6tYEBKOrXDRBF2algQdQudo5glqUbh8q9zh1qhHFTv+NwIA6xxZPSoNGqB6kl65Fa1fc= Received: by 10.65.54.9 with SMTP id g9mr10376269qbk.1196221231074; Tue, 27 Nov 2007 19:40:31 -0800 (PST) Received: by 10.64.149.18 with HTTP; Tue, 27 Nov 2007 19:40:31 -0800 (PST) Message-ID: Date: Wed, 28 Nov 2007 11:40:31 +0800 From: "Sepherosa Ziehau" To: freebsd-ipfw@freebsd.org In-Reply-To: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com> Subject: Re: ipfw forwarding doesn't work - for more than 2 months. --- please help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 04:09:37 -0000 On Nov 28, 2007 10:03 AM, Sam Wun wrote: > Hi, > > I setup the following ipfw rules in freebsd 6.2: > belmore# ipfw list > 00001 allow udp from any to any dst-port 500 > 00001 allow esp from any to any > 00001 allow esp from any to any > 00001 allow ipencap from any to any > 00001 allow ipencap from any to any > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in I don't think this does the rdr you intended. Please take a look at ipfw manpage. Best Regards, sephe > I don't know what is wrong that the freebsd server (6.2) can't > redirect/forward http request to an internal server (web server - > 192.168.1.222). > > Can anyone please give suggestion to modify this rules? > Or can you please post your workable ipfw rules that achieved the same goal? > > Thanks > S > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > -- Live Free or Die From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 28 04:18:33 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7435716A419 for ; Wed, 28 Nov 2007 04:18:33 +0000 (UTC) (envelope-from swun2010@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.180]) by mx1.freebsd.org (Postfix) with ESMTP id 45FF813C459 for ; Wed, 28 Nov 2007 04:18:33 +0000 (UTC) (envelope-from swun2010@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so1721151waf for ; Tue, 27 Nov 2007 20:18:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=ni1FFcF1TFbVYNCuHHZZ6iPNgFrgujJJFR2mtLEKcCA=; b=BhHq0+5PhdMGy3x97KMo9zBWIXb2BzCjARPuwRzFVTrdAdf5VsQybmpHNjSh330MqEX0Gup7NHrn+k2Pw4eCVTKsct5keDTQboWWtmcg6TsUB0rz+q4Wpx3HsbCaIVYhk9sclbK9yIUcY6XPo7mQMXaQ2VxmjJPUWf7mpE+mzEk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=T4cgRQfBMF7Iv529JLC3gN9Ua6taqzTfRfs+V+QhEhceE+ErHmQWFvp+0fSbnZxsNd9OrwwBAVel2Mc3GV2siy4fg7kWhKaCg8OsRAULH+ra+HyztD9rD5pVyuI9Wabwu/jN11menjvoVmIt5LmhKJC3ifkcUjNd8bV5dWNQ9rQ= Received: by 10.115.90.1 with SMTP id s1mr561523wal.1196223512203; Tue, 27 Nov 2007 20:18:32 -0800 (PST) Received: by 10.115.17.14 with HTTP; Tue, 27 Nov 2007 20:18:32 -0800 (PST) Message-ID: <736c47cb0711272018k1e40b1b7v7edfa1d2b5d50891@mail.gmail.com> Date: Wed, 28 Nov 2007 15:18:32 +1100 From: "Sam Wun" To: "Sepherosa Ziehau" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw forwarding doesn't work - for more than 2 months. --- please help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 04:18:33 -0000 I have read the manpages and freebsd handbook more than 20 tiems. On Nov 28, 2007 2:40 PM, Sepherosa Ziehau wrote: > On Nov 28, 2007 10:03 AM, Sam Wun wrote: > > Hi, > > > > I setup the following ipfw rules in freebsd 6.2: > > belmore# ipfw list > > 00001 allow udp from any to any dst-port 500 > > 00001 allow esp from any to any > > 00001 allow esp from any to any > > 00001 allow ipencap from any to any > > 00001 allow ipencap from any to any > > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in > > I don't think this does the rdr you intended. Please take a look at > ipfw manpage. > > Best Regards, > sephe > > > I don't know what is wrong that the freebsd server (6.2) can't > > redirect/forward http request to an internal server (web server - > > 192.168.1.222). > > > > Can anyone please give suggestion to modify this rules? > > Or can you please post your workable ipfw rules that achieved the same goal? > > > > Thanks > > S > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > -- > Live Free or Die > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 28 06:12:25 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC16A16A41A for ; Wed, 28 Nov 2007 06:12:25 +0000 (UTC) (envelope-from sepherosa@gmail.com) Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.236]) by mx1.freebsd.org (Postfix) with ESMTP id A82B713C47E for ; Wed, 28 Nov 2007 06:12:25 +0000 (UTC) (envelope-from sepherosa@gmail.com) Received: by nz-out-0506.google.com with SMTP id l8so909605nzf for ; Tue, 27 Nov 2007 22:12:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=9ezvb1GGutBBI7icft5VpOdKKe2twK7ucVNpqGV1dw4=; b=ezeqyn/r8d6LYznonD7Y4WnKKub3PyZseZkvCoSGlX22iX0YtEs7pb/EAe1KJr5+mSkk27H5WYNFDtp3KNc8DhKY7vW38XS8Gu+OyXBFTPST+wG24R6PYFlJ07lw/8AE+NKjy5ju7wXDkDnC7TgaIPBEjVHEsHl8BQJg3MRr1gY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Qaw631d1inoblmt1ZQK99JQmQOwRxn/hWavfm0VOKWTvskDRWIhJGoFaP30K+04OrhZqDL24uoRwkZZql3a7gHyWx+qH29SBp7culZc5ei9l2sVYDndhKIWYyhNwhyZ2TH09fysiWNgosTRCXwUxlY7C0hoTuHv6eNuUsHChbqA= Received: by 10.64.209.6 with SMTP id h6mr27667qbg.1196230344749; Tue, 27 Nov 2007 22:12:24 -0800 (PST) Received: by 10.64.149.18 with HTTP; Tue, 27 Nov 2007 22:12:24 -0800 (PST) Message-ID: Date: Wed, 28 Nov 2007 14:12:24 +0800 From: "Sepherosa Ziehau" To: "Sam Wun" In-Reply-To: <736c47cb0711272018k1e40b1b7v7edfa1d2b5d50891@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com> <736c47cb0711272018k1e40b1b7v7edfa1d2b5d50891@mail.gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw forwarding doesn't work - for more than 2 months. --- please help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 06:12:26 -0000 On Nov 28, 2007 12:18 PM, Sam Wun wrote: > I have read the manpages and freebsd handbook more than 20 tiems. Oh? Then I think you must have read this in ipfw manpage: ... The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them. ... Best Regards, sephe > > > > On Nov 28, 2007 2:40 PM, Sepherosa Ziehau wrote: > > On Nov 28, 2007 10:03 AM, Sam Wun wrote: > > > Hi, > > > > > > I setup the following ipfw rules in freebsd 6.2: > > > belmore# ipfw list > > > 00001 allow udp from any to any dst-port 500 > > > 00001 allow esp from any to any > > > 00001 allow esp from any to any > > > 00001 allow ipencap from any to any > > > 00001 allow ipencap from any to any > > > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in > > > > I don't think this does the rdr you intended. Please take a look at > > ipfw manpage. > > > > Best Regards, > > sephe > > > > > I don't know what is wrong that the freebsd server (6.2) can't > > > redirect/forward http request to an internal server (web server - > > > 192.168.1.222). > > > > > > Can anyone please give suggestion to modify this rules? > > > Or can you please post your workable ipfw rules that achieved the same goal? > > > > > > Thanks > > > S > > > _______________________________________________ > > > freebsd-ipfw@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > > -- > > Live Free or Die > > _______________________________________________ > > freebsd-ipfw@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > -- Live Free or Die From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 28 08:21:22 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4273E16A417 for ; Wed, 28 Nov 2007 08:21:22 +0000 (UTC) (envelope-from swun2010@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.180]) by mx1.freebsd.org (Postfix) with ESMTP id 14DA113C459 for ; Wed, 28 Nov 2007 08:21:21 +0000 (UTC) (envelope-from swun2010@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so1792865waf for ; Wed, 28 Nov 2007 00:21:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=rOzMdaloCCxw4pKwvLzjGzMLg4R5wIiNR6mGuEsDUOA=; b=tyLjliOyck/UAQghAghZawjWs1pn4psSP1iFttnOFy/HNaGtvY/vweMpqYXeKHocxVJxrz90nQzLWqJXskNfxPZ+lcp0RvwBClP+4+y4AK97EJq1YHpkdV7QuXWFDiIDvNdS7jD9g6ml2QEjtMEaxCkfuJEGhCGXLxXCenkrFm4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=R4Z4IsnbFAiRwrVFMg4E3LSjMRcOkDVM/5MJDyb0C07pfo/7cYyJpn5L/1zLoZL6g3BQfaBdBfE8UT7dTJ8iuRprdVxwmnobzfAknMY7yOULJL4yLNka5Zmlo36jvcBoveDLgYHvxlO2Z0pZ6inGAzyyRoLXG33zBm3N9oXQ0Lw= Received: by 10.114.53.1 with SMTP id b1mr926435waa.1196238081603; Wed, 28 Nov 2007 00:21:21 -0800 (PST) Received: by 10.115.17.14 with HTTP; Wed, 28 Nov 2007 00:21:21 -0800 (PST) Message-ID: <736c47cb0711280021g2ad48ec2g7bdc0246f027c3b6@mail.gmail.com> Date: Wed, 28 Nov 2007 19:21:21 +1100 From: "Sam Wun" To: "Sepherosa Ziehau" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com> <736c47cb0711272018k1e40b1b7v7edfa1d2b5d50891@mail.gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw forwarding doesn't work - for more than 2 months. --- please help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 08:21:22 -0000 On Nov 28, 2007 5:12 PM, Sepherosa Ziehau wrote: > On Nov 28, 2007 12:18 PM, Sam Wun wrote: > > I have read the manpages and freebsd handbook more than 20 tiems. > > Oh? Then I think you must have read this in ipfw manpage: > ... > The fwd action does not change the contents of the packet at all. In > particular, the destination address remains unmodified, so packets > forwarded to another system will usually be rejected by that system > unless there is a matching rule on that system to capture them. > ... > OK, I mis-read that. is that mean I need to implement a rule in the internal web server? I t hink I just need to install rinet in this freebsd router for the port forwarding. Thanks > Best Regards, > sephe > > > > > > > > > > On Nov 28, 2007 2:40 PM, Sepherosa Ziehau wrote: > > > On Nov 28, 2007 10:03 AM, Sam Wun wrote: > > > > Hi, > > > > > > > > I setup the following ipfw rules in freebsd 6.2: > > > > belmore# ipfw list > > > > 00001 allow udp from any to any dst-port 500 > > > > 00001 allow esp from any to any > > > > 00001 allow esp from any to any > > > > 00001 allow ipencap from any to any > > > > 00001 allow ipencap from any to any > > > > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in > > > > > > I don't think this does the rdr you intended. Please take a look at > > > ipfw manpage. > > > > > > Best Regards, > > > sephe > > > > > > > I don't know what is wrong that the freebsd server (6.2) can't > > > > redirect/forward http request to an internal server (web server - > > > > 192.168.1.222). > > > > > > > > Can anyone please give suggestion to modify this rules? > > > > Or can you please post your workable ipfw rules that achieved the same goal? > > > > > > > > Thanks > > > > S > > > > _______________________________________________ > > > > freebsd-ipfw@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > > > > > > > -- > > > Live Free or Die > > > _______________________________________________ > > > freebsd-ipfw@freebsd.org mailing list > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > -- > Live Free or Die > From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 28 08:45:17 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1CEE316A421 for ; Wed, 28 Nov 2007 08:45:17 +0000 (UTC) (envelope-from sepherosa@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by mx1.freebsd.org (Postfix) with ESMTP id BEFAF13C4D5 for ; Wed, 28 Nov 2007 08:45:16 +0000 (UTC) (envelope-from sepherosa@gmail.com) Received: by py-out-1112.google.com with SMTP id u77so3212808pyb for ; Wed, 28 Nov 2007 00:45:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=qPDAtljHMD/eY3clrpYd0y4TWNQkKUGcSW4CopE3fkI=; b=NfjXKFvSuPnaWwfm5X/2cWFOw1ME/OFOAbm07ec+YHc5uQv8v7rnBBpG8BLUiuE0IX/w+lcJGOpjpHxY2SzZnbkaAogseZkhlLrTpt7ZT2WgJCx689/grUyD69n7ZNYzEa5htbX+/4hzdqwrtD0jCP6bUqvfjOQT99SuxBhC8qY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=hv2fQPrDF6tlDcr2zHAnbUBNTXfkGLag/F0XPv6G5KyVEq27/tynEZe36yTLjzNiUSaDGhbSizRRqEwlvdd+nC2Wij+PJ39LHVmVzlIdxWNm99FBSKLw6ECLUYGwmVYqwksgDXw2DwizAMgHZ6lKtCeDBSzAE7OdEnzbnx2tsyM= Received: by 10.65.83.18 with SMTP id k18mr10847163qbl.1196239515664; Wed, 28 Nov 2007 00:45:15 -0800 (PST) Received: by 10.64.149.18 with HTTP; Wed, 28 Nov 2007 00:45:15 -0800 (PST) Message-ID: Date: Wed, 28 Nov 2007 16:45:15 +0800 From: "Sepherosa Ziehau" To: "Sam Wun" In-Reply-To: <736c47cb0711280021g2ad48ec2g7bdc0246f027c3b6@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com> <736c47cb0711272018k1e40b1b7v7edfa1d2b5d50891@mail.gmail.com> <736c47cb0711280021g2ad48ec2g7bdc0246f027c3b6@mail.gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw forwarding doesn't work - for more than 2 months. --- please help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 08:45:17 -0000 On Nov 28, 2007 4:21 PM, Sam Wun wrote: > On Nov 28, 2007 5:12 PM, Sepherosa Ziehau wrote: > > On Nov 28, 2007 12:18 PM, Sam Wun wrote: > > > I have read the manpages and freebsd handbook more than 20 tiems. > > > > Oh? Then I think you must have read this in ipfw manpage: > > ... > > The fwd action does not change the contents of the packet at all. In > > particular, the destination address remains unmodified, so packets > > forwarded to another system will usually be rejected by that system > > unless there is a matching rule on that system to capture them. > > ... > > > OK, I mis-read that. is that mean I need to implement a rule in the > internal web server? IMHO, what you need is a divert rule and natd on 6, or try 7's ipfw with the in-kernel NAT. Best Regards, sephe > I t hink I just need to install rinet in this freebsd router for the > port forwarding. > > Thanks > > > > Best Regards, > > sephe > > > > > > > > > > > > > > > > On Nov 28, 2007 2:40 PM, Sepherosa Ziehau wrote: > > > > On Nov 28, 2007 10:03 AM, Sam Wun wrote: > > > > > Hi, > > > > > > > > > > I setup the following ipfw rules in freebsd 6.2: > > > > > belmore# ipfw list > > > > > 00001 allow udp from any to any dst-port 500 > > > > > 00001 allow esp from any to any > > > > > 00001 allow esp from any to any > > > > > 00001 allow ipencap from any to any > > > > > 00001 allow ipencap from any to any > > > > > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in > > > > > > > > I don't think this does the rdr you intended. Please take a look at > > > > ipfw manpage. > > > > > > > > Best Regards, > > > > sephe > > > > > > > > > I don't know what is wrong that the freebsd server (6.2) can't > > > > > redirect/forward http request to an internal server (web server - > > > > > 192.168.1.222). > > > > > > > > > > Can anyone please give suggestion to modify this rules? > > > > > Or can you please post your workable ipfw rules that achieved the same goal? > > > > > > > > > > Thanks > > > > > S > > > > > _______________________________________________ > > > > > freebsd-ipfw@freebsd.org mailing list > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > > > > > > > > > > > > -- > > > > Live Free or Die > > > > _______________________________________________ > > > > freebsd-ipfw@freebsd.org mailing list > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > > > > > > -- > > Live Free or Die > > > -- Live Free or Die From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 28 08:51:54 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E45D316A419 for ; Wed, 28 Nov 2007 08:51:54 +0000 (UTC) (envelope-from swun2010@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.177]) by mx1.freebsd.org (Postfix) with ESMTP id B5AEB13C468 for ; Wed, 28 Nov 2007 08:51:54 +0000 (UTC) (envelope-from swun2010@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so1801519waf for ; Wed, 28 Nov 2007 00:51:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=arx5puI3c8lql1RsjS7OfB2ZEsAWyuo5amYyFn5IXVo=; b=l85+ZGlq3I5GRm804y34HnFS8EAJg60XjBmlNQLb5TxQE14JeLkvtnmkMV/dwcjvaxdV8mEgx03X8LZG+qo0TqM+bTFvM+9kUNvKiRsDtHGBv+6KZ2FrEMY/cQBwWEdSNXXou6NlMp+d8HGbF5HQKohYlA4se/6LwvVCM4erZGI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PAwR4nf2KEstE045r4mi3thek9r9s6AFTdFxXWlf0d2XXMarCHtunfcEgQr8NluWVIpz2ilA71AzOFNGp1OJ0RHZEm3zDQiW3Bq0xwSIywVIBgWwP5ZgBKfrx9bjvq7+BqgFWMR3ZigzANNOiSeOdUaNIXnOrtkBN6o7uhbdRi8= Received: by 10.114.66.2 with SMTP id o2mr757050waa.1196239914057; Wed, 28 Nov 2007 00:51:54 -0800 (PST) Received: by 10.115.17.14 with HTTP; Wed, 28 Nov 2007 00:51:54 -0800 (PST) Message-ID: <736c47cb0711280051j63596f22tffce5e734d9712e@mail.gmail.com> Date: Wed, 28 Nov 2007 19:51:54 +1100 From: "Sam Wun" To: "Sepherosa Ziehau" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com> <736c47cb0711272018k1e40b1b7v7edfa1d2b5d50891@mail.gmail.com> <736c47cb0711280021g2ad48ec2g7bdc0246f027c3b6@mail.gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw forwarding doesn't work - for more than 2 months. --- please help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 08:51:55 -0000 On Nov 28, 2007 7:45 PM, Sepherosa Ziehau wrote: > On Nov 28, 2007 4:21 PM, Sam Wun wrote: > > On Nov 28, 2007 5:12 PM, Sepherosa Ziehau wrote: > > > On Nov 28, 2007 12:18 PM, Sam Wun wrote: > > > > I have read the manpages and freebsd handbook more than 20 tiems. > > > > > > Oh? Then I think you must have read this in ipfw manpage: > > > ... > > > The fwd action does not change the contents of the packet at all. In > > > particular, the destination address remains unmodified, so packets > > > forwarded to another system will usually be rejected by that system > > > unless there is a matching rule on that system to capture them. > > > ... > > > > > OK, I mis-read that. is that mean I need to implement a rule in the > > internal web server? > > IMHO, what you need is a divert rule and natd on 6, or try 7's ipfw > with the in-kernel NAT. > Can you suggest where I can add a new divert rule in my current ipfw rule set? belmore# ipfw list 00001 allow udp from any to any dst-port 500 00001 allow esp from any to any 00001 allow esp from any to any 00001 allow ipencap from any to any 00001 allow ipencap from any to any 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in 00040 allow tcp from any to 220.233.24.213 dst-port 80 in 00041 allow tcp from 192.168.1.222 to any out 00050 divert 8668 ip4 from any to any via tun0 00100 allow ip from any to any via lo0 00150 allow ip from any to any via rl1 00200 deny ip from any to 127.0.0.0/8 00250 allow ip from any to any via lo0 00300 deny ip from 127.0.0.0/8 to any 00350 allow ip from any to any via gif* keep-state 00450 allow udp from any to any dst-port 53 in keep-state 00550 allow tcp from any to any dst-port 22 in keep-state 00650 allow udp from any to any dst-port 1080-60000 in setup keep-state 00750 allow tcp from any to any dst-port 1080-60000 in keep-state 00850 allow tcp from any to 220.233.24.213 dst-port 80 in via tun0 setup keep-state 00950 allow tcp from 220.233.24.213 to any out via tun0 setup keep-state 01050 allow tcp from any to any out keep-state 65000 allow ip from any to any 65535 allow ip from any to any Here is the current rc.conf: natd_program="/sbin/natd" natd_enable="yes" natd_interface="tun0" # interface name of public Internet NIC natd_flags="-dynamic -m" # -m = preserve port numbers if possible #natd_flags="-f /etc/natd.conf" and the content of natd.conf: belmore# cat natd.conf dynamic yes redirect_port tcp 192.168.1.222:80 80 Thanks S > Best Regards, > sephe > > > > I t hink I just need to install rinet in this freebsd router for the > > port forwarding. > > > > Thanks > > > > > > > Best Regards, > > > sephe > > > > > > > > > > > > > > > > > > > > > > On Nov 28, 2007 2:40 PM, Sepherosa Ziehau wrote: > > > > > On Nov 28, 2007 10:03 AM, Sam Wun wrote: > > > > > > Hi, > > > > > > > > > > > > I setup the following ipfw rules in freebsd 6.2: > > > > > > belmore# ipfw list > > > > > > 00001 allow udp from any to any dst-port 500 > > > > > > 00001 allow esp from any to any > > > > > > 00001 allow esp from any to any > > > > > > 00001 allow ipencap from any to any > > > > > > 00001 allow ipencap from any to any > > > > > > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in > > > > > > > > > > I don't think this does the rdr you intended. Please take a look at > > > > > ipfw manpage. > > > > > > > > > > Best Regards, > > > > > sephe > > > > > > > > > > > I don't know what is wrong that the freebsd server (6.2) can't > > > > > > redirect/forward http request to an internal server (web server - > > > > > > 192.168.1.222). > > > > > > > > > > > > Can anyone please give suggestion to modify this rules? > > > > > > Or can you please post your workable ipfw rules that achieved the same goal? > > > > > > > > > > > > Thanks > > > > > > S > > > > > > _______________________________________________ > > > > > > freebsd-ipfw@freebsd.org mailing list > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Live Free or Die > > > > > _______________________________________________ > > > > > freebsd-ipfw@freebsd.org mailing list > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > > > > > > > > > > > > -- > > > Live Free or Die > > > > > > > > > -- > Live Free or Die > From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 28 09:46:52 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1878116A417 for ; Wed, 28 Nov 2007 09:46:52 +0000 (UTC) (envelope-from sepherosa@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.180]) by mx1.freebsd.org (Postfix) with ESMTP id C306813C4CE for ; Wed, 28 Nov 2007 09:46:51 +0000 (UTC) (envelope-from sepherosa@gmail.com) Received: by py-out-1112.google.com with SMTP id u77so3260310pyb for ; Wed, 28 Nov 2007 01:46:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=IkhY/VkSWBJmH+8njyEtOwFq8TbYny0Y875ZmgJWeMA=; b=KwBkLvsdzVgr6mLHNzBiMim/etbdv7/NCXgAS99rF7dRV2aNgozPa+dp9opf+SbZllWjwZlm6jRG9o6jmCDmysyFhwsPoS757XZTizwED5cWKpLcx49R6ueg2Zur0LqumGaNYdMAfJ6ddgPlKYmgHRLe/gR2fqV3by0eDdIGxgk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WK9uIsXsfhVlJIc5t1rSoz31nKrF0+zQv/lGjMJcsHrPkoYY0hdtBuya22zRBI185wblocR0SLEy92b4ov92BbST1UYtziPv+iZnPoDlL3TPYQMvjXjte6Z1fR85eYxXHwg2srvWMO5K0p42UwiUqHO8qohMwy9UZ4P16XaIEZ4= Received: by 10.65.180.9 with SMTP id h9mr11064180qbp.1196243175567; Wed, 28 Nov 2007 01:46:15 -0800 (PST) Received: by 10.64.149.18 with HTTP; Wed, 28 Nov 2007 01:46:15 -0800 (PST) Message-ID: Date: Wed, 28 Nov 2007 17:46:15 +0800 From: "Sepherosa Ziehau" To: "Sam Wun" In-Reply-To: <736c47cb0711280051j63596f22tffce5e734d9712e@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com> <736c47cb0711272018k1e40b1b7v7edfa1d2b5d50891@mail.gmail.com> <736c47cb0711280021g2ad48ec2g7bdc0246f027c3b6@mail.gmail.com> <736c47cb0711280051j63596f22tffce5e734d9712e@mail.gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw forwarding doesn't work - for more than 2 months. --- please help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 09:46:52 -0000 On Nov 28, 2007 4:51 PM, Sam Wun wrote: > On Nov 28, 2007 7:45 PM, Sepherosa Ziehau wrote: > > On Nov 28, 2007 4:21 PM, Sam Wun wrote: > > > On Nov 28, 2007 5:12 PM, Sepherosa Ziehau wrote: > > > > On Nov 28, 2007 12:18 PM, Sam Wun wrote: > > > > > I have read the manpages and freebsd handbook more than 20 tiems. > > > > > > > > Oh? Then I think you must have read this in ipfw manpage: > > > > ... > > > > The fwd action does not change the contents of the packet at all. In > > > > particular, the destination address remains unmodified, so packets > > > > forwarded to another system will usually be rejected by that system > > > > unless there is a matching rule on that system to capture them. > > > > ... > > > > > > > OK, I mis-read that. is that mean I need to implement a rule in the > > > internal web server? > > > > IMHO, what you need is a divert rule and natd on 6, or try 7's ipfw > > with the in-kernel NAT. > > > Can you suggest where I can add a new divert rule in my current ipfw rule set? > belmore# ipfw list > 00001 allow udp from any to any dst-port 500 > 00001 allow esp from any to any > 00001 allow esp from any to any > 00001 allow ipencap from any to any > 00001 allow ipencap from any to any Following three rules are not necessary. Depending on your need, you may also want to reconstruct the rules after the divert one. > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in > 00040 allow tcp from any to 220.233.24.213 dst-port 80 in > 00041 allow tcp from 192.168.1.222 to any out > 00050 divert 8668 ip4 from any to any via tun0 > 00100 allow ip from any to any via lo0 > 00150 allow ip from any to any via rl1 > 00200 deny ip from any to 127.0.0.0/8 > 00250 allow ip from any to any via lo0 > 00300 deny ip from 127.0.0.0/8 to any > 00350 allow ip from any to any via gif* keep-state > 00450 allow udp from any to any dst-port 53 in keep-state > 00550 allow tcp from any to any dst-port 22 in keep-state > 00650 allow udp from any to any dst-port 1080-60000 in setup keep-state > 00750 allow tcp from any to any dst-port 1080-60000 in keep-state > 00850 allow tcp from any to 220.233.24.213 dst-port 80 in via tun0 > setup keep-state > 00950 allow tcp from 220.233.24.213 to any out via tun0 setup keep-state > 01050 allow tcp from any to any out keep-state > 65000 allow ip from any to any > 65535 allow ip from any to any > > Here is the current rc.conf: > natd_program="/sbin/natd" > natd_enable="yes" > natd_interface="tun0" # interface name of public Internet NIC > natd_flags="-dynamic -m" # -m = preserve port numbers if possible > #natd_flags="-f /etc/natd.conf" > > and the content of natd.conf: > belmore# cat natd.conf > dynamic yes > redirect_port tcp 192.168.1.222:80 80 > > Thanks > > S > > Best Regards, > > sephe > > > > > > > I t hink I just need to install rinet in this freebsd router for the > > > port forwarding. > > > > > > Thanks > > > > > > > > > > Best Regards, > > > > sephe > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Nov 28, 2007 2:40 PM, Sepherosa Ziehau wrote: > > > > > > On Nov 28, 2007 10:03 AM, Sam Wun wrote: > > > > > > > Hi, > > > > > > > > > > > > > > I setup the following ipfw rules in freebsd 6.2: > > > > > > > belmore# ipfw list > > > > > > > 00001 allow udp from any to any dst-port 500 > > > > > > > 00001 allow esp from any to any > > > > > > > 00001 allow esp from any to any > > > > > > > 00001 allow ipencap from any to any > > > > > > > 00001 allow ipencap from any to any > > > > > > > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in > > > > > > > > > > > > I don't think this does the rdr you intended. Please take a look at > > > > > > ipfw manpage. > > > > > > > > > > > > Best Regards, > > > > > > sephe > > > > > > > > > > > > > I don't know what is wrong that the freebsd server (6.2) can't > > > > > > > redirect/forward http request to an internal server (web server - > > > > > > > 192.168.1.222). > > > > > > > > > > > > > > Can anyone please give suggestion to modify this rules? > > > > > > > Or can you please post your workable ipfw rules that achieved the same goal? > > > > > > > > > > > > > > Thanks > > > > > > > S > > > > > > > _______________________________________________ > > > > > > > freebsd-ipfw@freebsd.org mailing list > > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > Live Free or Die > > > > > > _______________________________________________ > > > > > > freebsd-ipfw@freebsd.org mailing list > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Live Free or Die > > > > > > > > > > > > > > > -- > > Live Free or Die > > > -- Live Free or Die From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 28 10:39:39 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7672916A41A for ; Wed, 28 Nov 2007 10:39:39 +0000 (UTC) (envelope-from tobias@netconsultoria.com.br) Received: from srv1.netconsultoria.com.br (srv1.netconsultoria.com.br [189.1.176.252]) by mx1.freebsd.org (Postfix) with ESMTP id B5C5713C45A for ; Wed, 28 Nov 2007 10:39:38 +0000 (UTC) (envelope-from tobias@netconsultoria.com.br) Received: from [172.16.16.100] (mailgw.ntelecom.com.br [189.1.176.249]) (authenticated bits=0) by srv1.netconsultoria.com.br (8.13.8/8.13.3) with ESMTP id lASABHAm048677; Wed, 28 Nov 2007 08:11:20 -0200 (BRST) (envelope-from tobias@netconsultoria.com.br) Message-ID: <474D3EC5.5070102@netconsultoria.com.br> Date: Wed, 28 Nov 2007 08:11:17 -0200 From: "Tobias P. Santos" User-Agent: Thunderbird 1.5.0.7 (X11/20060909) MIME-Version: 1.0 To: Sam Wun References: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com> In-Reply-To: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.88.7/4934/Tue Nov 27 21:17:17 2007 on srv1.netconsultoria.com.br X-Virus-Status: Clean Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw forwarding doesn't work - for more than 2 months. --- please help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 10:39:39 -0000 Sam Wun wrote: > Hi, > > I setup the following ipfw rules in freebsd 6.2: > belmore# ipfw list > 00001 allow udp from any to any dst-port 500 > 00001 allow esp from any to any > 00001 allow esp from any to any > 00001 allow ipencap from any to any > 00001 allow ipencap from any to any > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in Try to remove the "in" keyword on rule 20 and see if it works. Regars, Tobias.