From owner-freebsd-ipfw@FreeBSD.ORG Thu Feb 10 00:35:54 2005 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04F7516A4CE for ; Thu, 10 Feb 2005 00:35:54 +0000 (GMT) Received: from ylpvm43.prodigy.net (ylpvm43-ext.prodigy.net [207.115.57.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84CEC43D48 for ; Thu, 10 Feb 2005 00:35:53 +0000 (GMT) (envelope-from kbyanc@posi.net) Received: from gateway.posi.net (adsl-63-201-89-53.dsl.snfc21.pacbell.net [63.201.89.53])j1A0a62Y020663; Wed, 9 Feb 2005 19:36:06 -0500 Received: from localhost (localhost [127.0.0.1]) by gateway.posi.net (Postfix) with ESMTP id BF90075E13C; Wed, 9 Feb 2005 17:38:35 -0800 (PST) Date: Wed, 9 Feb 2005 17:38:35 -0800 (PST) From: Kelly Yancey To: Chris Knipe In-Reply-To: <001f01c50ec9$8801c580$0a01a8c0@ops.cenergynetworks.com> Message-ID: <20050209172905.W66973@gateway.posi.net> References: <001f01c50ec9$8801c580$0a01a8c0@ops.cenergynetworks.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw fwd X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Feb 2005 00:35:54 -0000 On Wed, 9 Feb 2005, Chris Knipe wrote: > Lo all, > > FreeBSD 4.11-STABLE, running ipfw2. > > root@wsmd-core02:/home/cknipe# ifconfig vlan1 > vlan1: flags=8843 mtu 1496 > inet 198.19.0.33 netmask 0xffffffe0 broadcast 198.19.0.63 > ether 00:08:a1:7a:b1:44 > media: Ethernet autoselect (100baseTX) > status: active > vlan: 200 parent interface: rl0 > > ipfw2: > 00400 0 0 allow tcp from 198.19.0.36 to any dst-port 80 > 00401 12 652 allow tcp from 198.19.0.35 to any dst-port 25 > 00402 13 668 fwd 198.19.0.36,3128 tcp from 198.19.0.32/27 to any > dst-port 80 > 00403 2 120 fwd 198.19.0.35,25 tcp from 198.19.0.32/27 to any > dst-port 25 > > > However, packets that are forwarded, never connects to the destination where > it is forwarded to. And yes, I did check the obvious, everything is up and > running.... Is there some sysctl magic or something required to make this > work? I can fwd without a problem to the SAME BOX, but I cannot seem to get > it to work to fwd to remote machines. In case someone is wondering, this is > for transparent proxy / smtp servers. > > -- > Chris. > I don't suppose you're getting bitten by: "The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them." The ipfw(8) man page is a little vague with the phrasing "matching rule on that system to capture them". Normally systems don't process packets locally that are not destined for it. You can use tcpdump on the remote box to verify for yourself that the fwd is working correctly and that the remote box is receiving the packets. The remote box just doesn't know what to do with the packets it is receiving. Kelly -- Kelly Yancey - kbyanc@{posi.net,FreeBSD.org} - kelly@nttmcl.com "And say, finally, whether peace is best preserved by giving energy to the government or information to the people. This last is the most certain and the most legitimate engine of government." -- Thomas Jefferson to James Madison, 1787.