Date: Sat, 19 Jun 1999 10:35:14 -0700 (PDT) From: myers@iname.com To: freebsd-questions@freebsd.org Subject: 'ipfw fwd' question: Shouldn't this work? Message-ID: <199906191735.KAA05356@sol.>
next in thread | raw e-mail | index | archive | help
Folks:
I'm looking at the 'ipfw forward' mechanism, hoping to use it to
automatically route packets on my firewall's port 80 to an internal web
server's port 80. From what I see in mailing list archives, many people
have got exactly this situation working correctly. I can't seem to
figure out what I've done wrong.
The firewall is configured with ed0 as the external interface and de0
as the internal interface to the 10.0.0.x network. natd is running on
ed0. Web browsing, email, etc. all work fine from the internal
network. The 3.2-STABLE kernel has the appropriate IPFIREWALL DIVERT,
FORWARD, etc. directives in it.
When I send a request to port 80, the firewall's kernel says:
gateway /kernel: ipfw: 1200 Forward to 10.0.0.1:80 TCP 10.0.0.1:35188
aaa.bbb.ccc.ddd:80 in via de0
Which is correct, right?
But 'snoop' on the (Solaris) web server shows no packets arriving;
Apache logs show nothing as well.
Can anyone point me to the (hopefully obvious) blunder? I thought
perhaps some other firewall rule was killing the forwarded packets, but
my firewall configuration logs all denied packets -- and no such denial
messages ever appear.
(By the way, it appears there is an entirely separate mechanism that
offers the same functionality: the natd -redirect_port feature. This
doesn't work for me either.)
Firewall rules attached below.
Thanks.
-David.
$fwcmd add deny log all from ${inet}:${imask} to any in via ${oif}
$fwcmd add deny log all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
$fwcmd add deny log all from 192.168.0.0:255.255.0.0 to any via ${oif}
$fwcmd add deny log all from any to 192.168.0.0:255.255.0.0 via ${oif}
$fwcmd add deny log all from 172.16.0.0:255.240.0.0 to any via ${oif}
$fwcmd add deny log all from any to 172.16.0.0:255.240.0.0 via ${oif}
$fwcmd add deny log all from 10.0.0.0:255.0.0.0 to any via ${oif}
$fwcmd add pass tcp from any to ${oip} 25 setup
$fwcmd add pass tcp from any to ${oip} 53 setup
$fwcmd add fwd 10.0.0.1,80 log tcp from any to ${oip} 80
$fwcmd add pass tcp from any to ${oip} 143 setup
# Reject&Log all setup of incoming connections from the outside
$fwcmd add deny log tcp from any to any in via ${oif} setup
$fwcmd add pass ip from any to any
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199906191735.KAA05356>