Date: Sun, 25 Aug 2019 06:21:00 +0700 From: Eugene Grosbein <eugen@grosbein.net> To: Yuri <yuri@rawbw.com>, "freebsd-net@freebsd.org" <freebsd-net@freebsd.org> Subject: Re: Trying to understand why the ipfw rules don't work on lo0 Message-ID: <7b71d9a2-a565-96f2-898a-4ab215a708a4@grosbein.net> In-Reply-To: <ee056a29-d31a-660d-febb-eb6d8f7b1f70@rawbw.com> References: <ee056a29-d31a-660d-febb-eb6d8f7b1f70@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
25.08.2019 5:03, Yuri wrote: > I'm forwarding TCP connections coming to me on a particular port to the other interface. > It works fine when the connection originates from the outside host. > It doesn't work when the connection originates from my own host. > The description is here: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=239590 > Connections originating from my own host are automatically made on lo0, > and the same ipfw rule that works on the physical network interface doesn't work on lo0. > Is this a bug, or am I doing something wrong? Would you kindly ask questions of this type here first and leave Bugzilla for real bugs please? As for your question, you should make habit of using "log" keyword while debugging ipfw-related problems, for example: ipfw add 19001 nat 19001 log tcp from 192.168.5.3 to 192.168.5.3 3100 in recv lo0 This will write useful details to /var/log/security when a packet is matched by the rule. It will not add there anything if there are no matches. And if there are no matches and parameters are right, this generally means that packet is matched and consumed with some rule above. I presume your ruleset contains default rule "100 allow ip from any to any via lo0" that matches all local packets, so they have no change to hit your rule. Try changing 19001 to 90 so it catches packets earlier. If this does not help, show your full ruleset.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7b71d9a2-a565-96f2-898a-4ab215a708a4>