Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 25 May 2016 14:03:32 -0400
From:      Adonis Peralta <donileo@gmail.com>
To:        freebsd-ipfw@freebsd.org
Subject:   ipfw fwd sends to port but also through gateway
Message-ID:  <9227BA17-B289-494D-8A82-603DB1B35457@gmail.com>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi all,

I am noticing something weird in regards to ipfw forwarding when I am =
attempting to set up squid web proxying.=20

Here is the info:

ipfw rule: ipfw -q add fwd 127.0.0.1,8080 tcp from =
192.168.1.0/24{1-5,7-254} to any dst-port 80 in via igb0 //I exclude the =
servers ip 192.168.1.6 here to prevent a loop
Squid Proxy: running on localhost (127.0.0.1) port 8080.
Freebsd box ip: 192.168.1.6
Router box: 192.168.1.1

Essentially when any ip (not my freebsd ip) makes a request to port 80 =
my router will route that ip using policy based routing to my freebsd =
box. Then the ipfw fwd rule above sends that traffic over to my squid =
proxy port. This is working fine and the fwd rule above does definitely =
match.
However the issue Im seeing is that ipfw fwd not only sends the packet =
out to the squid proxy but ALSO sends it out to the original destination =
causing all sorts of issues for my client because it messes up the tcp =
flow/handshaking.

To be more clear what I see is when client 192.168.1.3 makes a request =
on port 80=E2=80=A6 my freebsd box receives it.. then forwards it to =
squid but also sends it out to the original destination so for every =
packet coming to port 80 i see two going out..

To debug this problem a bit further I stopped squid, and setup "nc -l =
8080" to catch incoming requests via the fwd.

Doing a tcpdump I see:

192.168.1.3.57653 > s3-us-west-1.amazonaws.com.http: Flags [S], cksum =
0x9385 (correct), seq 1939422713, win 65535, options [mss =
1460,nop,wscale 5,nop,nop,TS val 1149232947 ecr 0,sackOK,eol], length 0
13:14:16.209753 IP (tos 0x0, ttl 64, id 10951, offset 0, flags [DF], =
proto TCP (6), length 60)
    s3-us-west-1.amazonaws.com.http > 192.168.1.3.57653: Flags [S.], =
cksum 0xe4da (incorrect -> 0x8343), seq 3934654233, ack 1939422714, win =
65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1794161828 ecr =
1149232947], length 0

Netcat catches the HTTP Get request (i can see it in netcats console).. =
but the above tcpdump definitely tells me that the request was also sent =
to to aws itself this is implied by the fact that aws responded back to =
original ip (192.168.1.3).

When I have squid running I see the same thing in the above tcpdump but =
also communication between my freebsd box ip 192.168.1.6 and the =
requested http site.

 Why is this happening? Is this a bug?

-Adonis=



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?9227BA17-B289-494D-8A82-603DB1B35457>