Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Feb 2005 11:56:34 +0200
From:      "Chris Knipe" <>
To:        "Kelly Yancey" <>
Subject:   Re: ipfw fwd
Message-ID:  <004e01c50f56$ce47c020$>
References:  <001f01c50ec9$8801c580$> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
>> FreeBSD 4.11-STABLE, running ipfw2.
>> root@wsmd-core02:/home/cknipe# ifconfig vlan1
>> vlan1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1496
>>         inet netmask 0xffffffe0 broadcast
>>         ether 00:08:a1:7a:b1:44
>>         media: Ethernet autoselect (100baseTX)
>>         status: active
>>         vlan: 200 parent interface: rl0
>> ipfw2:
>> 00400       0         0 allow tcp from to any dst-port 80
>> 00401      12       652 allow tcp from to any dst-port 25
>> 00402      13       668 fwd,3128 tcp from to 
>> any
>> dst-port 80
>> 00403       2       120 fwd,25 tcp from to any
>> dst-port 25
>> However, packets that are forwarded, never connects to the destination 
>> where
>> it is forwarded to.  And yes, I did check the obvious, everything is up 
>> and
>> running....   Is there some sysctl magic or something required to make 
>> this
>> work?  I can fwd without a problem to the SAME BOX, but I cannot seem to 
>> get
>> it to work to fwd to remote machines.  In case someone is wondering, this 
>> is
>> for transparent proxy / smtp servers.
>> --
>> Chris.
>  I don't suppose you're getting bitten by:
> "The fwd action does not change the contents of the packet at
> all.  In particular, the destination address remains
> unmodified, so packets forwarded to another system will usually
> be rejected by that system unless there is a matching rule on
> that system to capture them."
>  The ipfw(8) man page is a little vague with the phrasing "matching
> rule on that system to capture them".  Normally systems don't process
> packets locally that are not destined for it.  You can use tcpdump on
> the remote box to verify for yourself that the fwd is working correctly
> and that the remote box is receiving the packets.  The remote box just
> doesn't know what to do with the packets it is receiving.

I never even saw this before in the man page... I'll have to look a bit 
closer.  I did check prior to posting (sorry, I should have mentioned), no 
packets are picked up on the host that I forward to...

Is there any other ways to accomplish this?? natd????  I want to try and 
stay away from natd, because if I do this with NATD, there's going to be 
allot of other issues I need fix as well.....


Want to link to this message? Use this URL: <$ce47c020$0a01a8c0>