Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 2 Aug 2002 23:34:57 -0700
From:      "Crist J. Clark" <crist.clark@attbi.com>
To:        Matt Abraham <mailing@novaconnect.net>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: "ipfw fwd" not working without static route?
Message-ID:  <20020803063457.GB47529@blossom.cjclark.org>
In-Reply-To: <web-45259@novaconnect.net>
References:  <20020801231035.B31318@rfc-networks.ie> <web-45259@novaconnect.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Fri, Aug 02, 2002 at 09:53:28AM -0400, Matt Abraham wrote:
> On Thu, 1 Aug 2002 23:10:35 +0000
>  Philip Reynolds <philip.reynolds@rfc-networks.ie> wrote:
> > Matt Abraham <mailing@novaconnect.net> 21 lines of wisdom
> > included:
> > > I'm trying to forward all packets from a privately
> > addressed
> > > machine (172.17.1.5) to a gateway via a FreeBSD box
> > running
> > > ipfw. Here's the ipfw directive:
> > > 
> > > fwd 192.168.215.15 log logamount 10000 ip from
> > 172.17.1.5 to
> > > any
> > > 
> > > Now when I ping public address a.b.c.d from 172.17.1.5,
> > I
> > > get a "Destination Host Unreachable." When I try to
> > ping
> > > this same address from the FreeBSD box, I get a "No
> > route to
> > > host" message. Adding a static route, however, solves
> > the
> > > problem:
> > > 
> > > route add -net a.b.c.d 192.169.215.15
> > > 
> > > ...so now I can ping from both 172.17.1.5 and my
> > FreeBSD
> > > firewall! Of course, having to add routes, sort of
> > defeats
> > > the ipfw fwd command, doesn't it?

[snip]

> Now the use of static routes become problematic because the
> route now only applies to packets that match a certain
> criteria, namely having a source address of 172.17.1.5. If I
> modify the netmasks on the box (and not use ipfw fwd), I
> change the behaviour for all packets coming through...not
> what I want to do.

I believe you can do what you want to do. The 'fwd' directive will
override the routing for a packet, BUT there must be a valid route for
the packet too. The issue is where ipfw(8) and the routing decision
occur in the network stack. The routing decision is made before the
packet gets sent to ipfw(8). Since there is no route for the packet,
the kernel gives the 'no route to host.' The 'fwd' routing would have
later clobbered the original routing choice, but you need to have a
route before you get this far. You can just add a bogus route (e.g.
default route that goes anywhere as long as it leaves the machine),
and your 'fwd' should work how you want.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20020803063457.GB47529>