From owner-freebsd-stable Sat Mar 3 18:12: 4 2001 Delivered-To: freebsd-stable@freebsd.org Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21]) by hub.freebsd.org (Postfix) with ESMTP id E94CD37B719 for ; Sat, 3 Mar 2001 18:12:01 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198]) by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id SAA00514; Sat, 3 Mar 2001 18:11:59 -0800 (PST) (envelope-from gdonl@tsc.tdk.com) Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194]) by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id SAA58705; Sat, 3 Mar 2001 18:11:59 -0800 (PST) (envelope-from Don.Lewis@tsc.tdk.com) Received: (from gdonl@localhost) by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id SAA24825; Sat, 3 Mar 2001 18:11:58 -0800 (PST) From: Don Lewis Message-Id: <200103040211.SAA24825@salsa.gv.tsc.tdk.com> Date: Sat, 3 Mar 2001 18:11:58 -0800 In-Reply-To: <20010303203733.A49750@palomine.net> References: <20010303203733.A49750@palomine.net> X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98) To: Chris Johnson , stable@FreeBSD.ORG Subject: Re: Did ipfw fwd just break? Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mar 3, 8:37pm, Chris Johnson wrote: } Subject: Did ipfw fwd just break? } } --EeQfGwPcQSOJBaQU } Content-Type: text/plain; charset=us-ascii } Content-Disposition: inline } } For a long time I've been running a transparent SMTP proxy on my firewall, } using this rule: } } ipfw fwd 127.0.0.1 tcp from any to any 25 in recv fxp0 } } It's always worked just as I expected. } } I updated my system today (the previous update was on February 12), and now, } even though "ipfw show" indicates that the above rule is matching, the } connection goes right through to its original destination (i.e. it's not } forwarded to 127.0.0.1) just as if the rule weren't there. Just prior to } rebooting the newly updated system, the SMTP connections were forwarded to } 127.0.0.1, exactly according to plan. I can believe that it got broken by some changes to ip_input.c in the last few days that were intended to prevent outsiders from connecting to sockets bound to the loopback interface or an interface on the far side of the host that the administrator hoped were private. If you have rev 1.130.2.17 of ip_input.c, you should be able to disable this check by setting ths sysctl variable net.inet.ip.check_interface to 0. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message