From owner-freebsd-questions@FreeBSD.ORG Sat Dec 31 06:52:22 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB37A16A41F for ; Sat, 31 Dec 2005 06:52:22 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from cobalt.antimatter.net (cobalt.antimatter.net [69.55.224.239]) by mx1.FreeBSD.org (Postfix) with ESMTP id 61F1543D77 for ; Sat, 31 Dec 2005 06:52:13 +0000 (GMT) (envelope-from glenn@antimatter.net) Received: from glenn-mobile.antimatter.net (cpe-66-91-227-82.san.res.rr.com [66.91.227.82]) (authenticated bits=0) by cobalt.antimatter.net (8.13.4/8.13.4) with ESMTP id jBV6qCRT019796 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 30 Dec 2005 22:52:12 -0800 X-MailKey: purple frogs are falling from the sky Message-Id: <6.2.3.4.2.20051230223713.05d19280@cobalt.antimatter.net> X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4 Date: Fri, 30 Dec 2005 22:46:24 -0800 To: "Robert Collins" , From: Glenn Dawson In-Reply-To: <006601c60dd4$5319b7a0$6601a8c0@dhcp.hwi.buffalo.edu> References: <003d01c60dc8$2090f930$6601a8c0@dhcp.hwi.buffalo.edu> <6.2.3.4.2.20051230215226.03679d60@cobalt.antimatter.net> <006601c60dd4$5319b7a0$6601a8c0@dhcp.hwi.buffalo.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: Subject: Re: forwarding http requests with ipfw X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 31 Dec 2005 06:52:22 -0000 At 10:34 PM 12/30/2005, Robert Collins wrote: >>At 09:07 PM 12/30/2005, Robert Collins wrote: >>>I've got a situation where I've got an internal host using a >>>private ip/domainname. Let's say for the sake of this discussion >>>the host is privatehost.internal.freebsd.org. privatehost isn't >>>running a webserver. But I would like machines on the >>>internal.freebsd.org network to query privatehost as if it was. >>>When one of these machines queries privatehost I would like >>>privatehost to forward those requests to my webserver, >>>www.freebsd.org, so that it can handle the request. In order to >>>accomplish that I have done the following: >>> >>>My kernel was compiled with these options: >>>options IPFIREWALL >>>options IPFIREWALL_FORWARD >>>options IPFIREWALL_FORWARD_EXTENDED >>> >>> >>>"ipfw list" looks like this: >>>00100 allow ip from any to any via lo0 >>>00110 deny ip from any to 127.0.0.0/8 >>>00120 deny ip from 127.0.0.0/8 to any >>>10000 fwd 216.136.204.117 tcp from any to me dst-port 80 >>>65000 allow ip from any to any >>>65535 deny ip from any to any >>> >>>The problem I am having is that it seems the packets never leave >>>privatehost. tcpdump shows packets coming in destined for port 80. >>>"ipfw show" shows that packets are matching my rule, but tcpdump >>>never shows any packets going out to 216.136.204.117. tcpdump on >>>216.136.204.117 also shows that no packets are being recieved. I >>>did a tcpdump on lo0 just for kicks, and that didn't show >>>anything. It seems as if the packets are just disappearing. >>>Someone on #freebsdhelp suggested doing a "sysctl -w >>>net.inet.ip.forwarding=1" but that didn't help the situation. Is >>>there something minor I'm missing here...or am I totally off in my >>>understanding of how "ipfw fwd" works? >> >>To quote the ipfw man page: >> >>"The fwd action does not change the contents of the packet at >>all. In particular, the destination address remains unmodified, so >>packets forwarded to another system will usually be rejected by >>that system unless there is a matching rule on that system to capture them." >> >>You probably need to re-think what you are trying to do. > >My understanding of this portion of the man page is that the machine >receiving the packet, in this case www.freebsd.org, needs to be >prepared to recive a packet whose destination address is not it's >own. If I am correct in my interpretation then this part of the man >page is irrelivent to my problem. My question is not, why is >www.freebsd.org not receiving the packet. My question is, why is >privatehost.internal.freebsd.org not sending the packet. What tcpdump rules are you using to look for packets leaving "privatehost"? Same question for packets arriving at 216.136.204.117? -Glenn >_______________________________________________ >freebsd-questions@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-questions >To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"