Date: Mon, 5 Feb 2001 16:53:21 -0800 (PST) From: dima@unixfreak.org To: FreeBSD-gnats-submit@freebsd.org Cc: cjclark@alum.mit.edu Subject: docs/24888: [PATCH] New FAQ entry about inappropriate use of ipfw(8) 'fwd' rules Message-ID: <200102060053.f160rLl18271@hornet.unixfreak.org>
next in thread | raw e-mail | index | archive | help
>Number: 24888
>Category: docs
>Synopsis: [PATCH] New FAQ entry about inappropriate use of ipfw(8) 'fwd' rules
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Mon Feb 05 17:00:02 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Dima Dorfman
>Release: FreeBSD 4.2-20010102-STABLE i386
>Organization:
Private
>Environment:
Not relevant.
>Description:
Users new to the ipfw(8) interface often attempt to use ``fwd'' rules
when they should be using NAT; they mistakenly think that ipfw(8) will
rewrite destination of the forwarded packet, when it fact it does not.
This FAQ entry attempts to explain why their rules don't work as
expected.
>How-To-Repeat:
Read -questions.
>Fix:
Apply the following patch to doc/en_US.ISO_8859-1/books/faq/book.sgml.
The actual text was written by Crist J. Clark <cjclark@alum.mit.edu>.
Please credit him in the commit log.
Index: book.sgml
===================================================================
RCS file: /st/src/FreeBSD/doc/en_US.ISO_8859-1/books/faq/book.sgml,v
retrieving revision 1.142
diff -u -r1.142 book.sgml
--- book.sgml 2001/02/02 03:16:45 1.142
+++ book.sgml 2001/02/06 00:44:07
@@ -8179,6 +8238,41 @@
</listitem>
</itemizedlist></para>
+ </answer>
+ </qandaentry>
+
+ <qandaentry>
+ <question id="ipfw-fwd">
+ <para>Why is my &man.ipfw.8; <quote>fwd</quote> rule to redirect a
+ service to another machine not working?</para>
+ </question>
+
+ <answer>
+ <para>Possibly because you want to do network address translation
+ (NAT) and not just forward packets. A <quote>fwd</quote> rule
+ does exactly what it says; it forwards packets. It does not
+ actually change the data inside the packet. Say we have a rule
+ like:</para>
+
+ <screen>01000 fwd <replaceable>10.0.0.1</replaceable> from any to <replaceable>foo 21</replaceable></screen>
+
+ <para>When a packet with a destination address of
+ <replaceable>foo</replaceable> arrives at the machine with this
+ rule, the packet is forwarded to
+ <replaceable>10.0.0.1</replaceable>, but it still has the
+ destination address of <replaceable>foo</replaceable>! The
+ destination address of the packet is <emphasis>not</emphasis>
+ changed to <replaceable>10.0.0.1</replaceable>. Most machines
+ would probably drop a packet that they receive with a
+ destination address that is not their own. Therefore, using a
+ <quote>fwd</quote> rule does not often work the way the user
+ expects. This behavior is a feature and not a bug.</para>
+
+ <para>See the <link linkend="service-redirect">FAQ about
+ redirecting services</link>, the &man.natd.8; manual, or one of
+ the several port redirecting utilities in the <ulink
+ url="../ports/">ports collection</ulink> for a correct way to do
+ this.</para>
</answer>
</qandaentry>
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200102060053.f160rLl18271>