Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 9 Feb 2005 17:38:35 -0800 (PST)
From:      Kelly Yancey <kbyanc@posi.net>
To:        Chris Knipe <savage@savage.za.org>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: ipfw fwd
Message-ID:  <20050209172905.W66973@gateway.posi.net>
In-Reply-To: <001f01c50ec9$8801c580$0a01a8c0@ops.cenergynetworks.com>
References:  <001f01c50ec9$8801c580$0a01a8c0@ops.cenergynetworks.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On Wed, 9 Feb 2005, Chris Knipe wrote:

> Lo all,
>
> FreeBSD 4.11-STABLE, running ipfw2.
>
> root@wsmd-core02:/home/cknipe# ifconfig vlan1
> vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1496
>         inet 198.19.0.33 netmask 0xffffffe0 broadcast 198.19.0.63
>         ether 00:08:a1:7a:b1:44
>         media: Ethernet autoselect (100baseTX)
>         status: active
>         vlan: 200 parent interface: rl0
>
> ipfw2:
> 00400       0         0 allow tcp from 198.19.0.36 to any dst-port 80
> 00401      12       652 allow tcp from 198.19.0.35 to any dst-port 25
> 00402      13       668 fwd 198.19.0.36,3128 tcp from 198.19.0.32/27 to any
> dst-port 80
> 00403       2       120 fwd 198.19.0.35,25 tcp from 198.19.0.32/27 to any
> dst-port 25
>
>
> However, packets that are forwarded, never connects to the destination where
> it is forwarded to.  And yes, I did check the obvious, everything is up and
> running....   Is there some sysctl magic or something required to make this
> work?  I can fwd without a problem to the SAME BOX, but I cannot seem to get
> it to work to fwd to remote machines.  In case someone is wondering, this is
> for transparent proxy / smtp servers.
>
> --
> Chris.
>

  I don't suppose you're getting bitten by:

	"The fwd action does not change the contents of the packet at
	 all.  In particular, the destination address remains
	 unmodified, so packets forwarded to another system will usually
	 be rejected by that system unless there is a matching rule on
	 that system to capture them."

  The ipfw(8) man page is a little vague with the phrasing "matching
rule on that system to capture them".  Normally systems don't process
packets locally that are not destined for it.  You can use tcpdump on
the remote box to verify for yourself that the fwd is working correctly
and that the remote box is receiving the packets.  The remote box just
doesn't know what to do with the packets it is receiving.

  Kelly

--
Kelly Yancey  -  kbyanc@{posi.net,FreeBSD.org}  -  kelly@nttmcl.com
"And say, finally, whether peace is best preserved by giving energy to the
 government or information to the people.  This last is the most certain and
 the most legitimate engine of government."
	-- Thomas Jefferson to James Madison, 1787.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20050209172905.W66973>