Date: Mon, 27 Oct 2008 15:18:22 +0100 From: "Leander S." <leander.schaefer@gmx.net> To: freebsd-ipfw@freebsd.org Subject: Portforwarding - still the same issue Message-ID: <4905CDAE.7080906@gmx.net>
next in thread | raw e-mail | index | archive | help
Roman Kurakin schrieb:
> John Hay wrote:
>> On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote:
>>
>>> Hi,
>>>
>>> I'm trying to set up something like a HotSpot. Goal is it to force
>>> unregistred users to get redirected to the Captive Portalsite where
>>> they'll be able to agree my licence therms and get some information
>>> ... etc. ...
>>>
>>> So fact is I need an IPFW rule which forwards Port 80,443,8080
>>> Traffic to another Port i.e. 8080 --> where my Apache will already
>>> wait for serving the Captive Portalsite back to the request.
>>>
>>> So I did read the man and saw something like the fwd rule and the
>>> Kernel Option for it - so I added the option - rcompiled the Kernel
>>> and gave my Firewall the following fwd rule in an extra script:
>>>
>>> ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any
>>> 80,443,8080 in via ${LAN_if}
>>>
> Try to make the rule stateful, eq add 'setup keep-state'. Also add
> some logging in the rule
> and add the last one additional deny with the logging.
Oh-oh ... Can't log right now - have to recompile the kernel before ...
sry.
>> You have to catch it where it is going out and not in. Fwd only works
>> when packets are out bound.
I don't think so ?! And what sence would it make? Because think twice
... I want to fwd incoming HTTP:80 packages to make them look like
HTTP:8080 packages ... the outgoing ones are uninteresting because it's
apache's job to send back Websitedata on port 8080 where it's listening
anyway.
>>
> But how this works for me?
>
> ipfw fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24
> to 172.22.4.254 dst-port 3128 setup in via vr0 keep-state
>
> rik
>> John
>>
I tried:
[...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me dst-port 80 setup
in via ath0 keep-state
as well as this one too:
[...] fwd 127.0.0.1,8080 tcp from 192.1.1.0/24 to me src-port 80
dst-port 8080 setup in via ath0 keep-state
^^
But sadly without success - "root$ ipfw show" doesn't even show me at
least one package going through .... not even blocked ones ... 0 0 ;-)
But here is my szenario again:
127.0.0.1 is my FreeBSDMashine wehre IPFW acts and Apache22 Listens on
port 8080.
192.1.1.0/24 is the ath0 Interface where Wirlessclients will try to
klick http://google:80 BUT accidently should be fwded & run into my
PortalSite:8080
192.1.1.1 is the Interfaces IP Adress. 192.1.1.1:8080 would you also
bring as well as 127.0.0.1:8080 to the portalsite.
Regards,
Leander
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4905CDAE.7080906>