From owner-freebsd-ipfw@FreeBSD.ORG Tue Oct 21 06:10:10 2008 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DE9C71065682 for ; Tue, 21 Oct 2008 06:10:10 +0000 (UTC) (envelope-from jhay@meraka.csir.co.za) Received: from zibbi.meraka.csir.co.za (zibbi.meraka.csir.co.za [IPv6:2001:4200:7000:2::1]) by mx1.freebsd.org (Postfix) with ESMTP id E3F248FC19 for ; Tue, 21 Oct 2008 06:10:09 +0000 (UTC) (envelope-from jhay@meraka.csir.co.za) Received: by zibbi.meraka.csir.co.za (Postfix, from userid 3973) id 7034E33C6A; Tue, 21 Oct 2008 08:10:05 +0200 (SAST) Date: Tue, 21 Oct 2008 08:10:05 +0200 From: John Hay To: Roman Kurakin Message-ID: <20081021061005.GA34936@zibbi.meraka.csir.co.za> References: <48FCF5DA.5060802@googlemail.com> <20081021040349.GA29232@zibbi.meraka.csir.co.za> <48FD5ED0.2030909@localhost.inse.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48FD5ED0.2030909@localhost.inse.ru> User-Agent: Mutt/1.4.2.1i Cc: "Leander S." , freebsd-ipfw@freebsd.org Subject: Re: IPFW + Portforwarding X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Oct 2008 06:10:10 -0000 On Tue, Oct 21, 2008 at 08:47:12AM +0400, Roman Kurakin wrote: > John Hay wrote: > >On Mon, Oct 20, 2008 at 11:19:22PM +0200, Leander S. wrote: > > > >>Hi, > >> > >>I'm trying to set up something like a HotSpot. Goal is it to force > >>unregistred users to get redirected to the Captive Portalsite where > >>they'll be able to agree my licence therms and get some information ... > >>etc. ... > >> > >>So fact is I need an IPFW rule which forwards Port 80,443,8080 Traffic > >>to another Port i.e. 8080 --> where my Apache will already wait for > >>serving the Captive Portalsite back to the request. > >> > >>So I did read the man and saw something like the fwd rule and the Kernel > >>Option for it - so I added the option - rcompiled the Kernel and gave my > >>Firewall the following fwd rule in an extra script: > >> > >> ${fwcmd} add 01100 fwd ${LAN_IP},8080 tcp from ${LAN} to any > >>80,443,8080 in via ${LAN_if} > >> > Try to make the rule stateful, eq add 'setup keep-state'. Also add some > logging in the rule > and add the last one additional deny with the logging. Adding logging is a good idea. Does keep-state work with fwd? I did not know that. I just assumed that it would not. > >You have to catch it where it is going out and not in. Fwd only works > >when packets are out bound. > > > But how this works for me? > > ipfw fwd 192.168.0.4,3128 log logamount 1000 tcp from 172.22.4.0/24 to > 172.22.4.254 dst-port 3128 setup in via vr0 keep-state I don't know. I did not think it will work. The way I understand it, is that fwd is a little like routing, it does not change the ip packet, so in effect it only change the mac address of the next hop and the interface, if needed. One other thing that might be a problem is if ipfw was just loaded as a module and not compiled in. There were reports that fwd does not work with the module. On all the boxes that I use fwd, ipfw is compiled into the kernel. John -- John Hay -- John.Hay@meraka.csir.co.za / jhay@FreeBSD.org