From owner-freebsd-ipfw@freebsd.org Wed May 25 18:03:35 2016 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C7A39B494D5 for ; Wed, 25 May 2016 18:03:35 +0000 (UTC) (envelope-from donileo@gmail.com) Received: from mail-qk0-x22e.google.com (mail-qk0-x22e.google.com [IPv6:2607:f8b0:400d:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 842221E51 for ; Wed, 25 May 2016 18:03:35 +0000 (UTC) (envelope-from donileo@gmail.com) Received: by mail-qk0-x22e.google.com with SMTP id y126so40322919qke.1 for ; Wed, 25 May 2016 11:03:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-transfer-encoding:subject:message-id:date:to :mime-version; bh=Nvhgtx4UHt4GW9YDskAsrLkWnjMmgyWmS/2l7bUcCvE=; b=SVESW7ZFlyy8QTKq9VvYXJ/7nXuvfNAhDhIb7pn4+aLkk7/uAxile2Pxiou8Mhsaa+ U2jkCQ4V/SzfcBpswtQWuGM890RR5kYz+QjOhG00Y5obAf0oq3m32GhB/I0MNikjlFE/ z0VKBb9VcnosVqk8XKWHukeKVYsluY/CNFG8L0IeT9Foyk7GszVkqsfLPO34dIV1xQkF vEBBgS4rvX+qZrk8HLfJm12+vmhRVpFTcDqRmgLofOIXyyL21epd5itgVc70d5FaFmHT 54dSHkYThk33yM6LcwIRIsKkgYXwVwvt6m9maJ6/yMQQIVo2daFxhRW48Wean1V/437A a4bg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-transfer-encoding:subject :message-id:date:to:mime-version; bh=Nvhgtx4UHt4GW9YDskAsrLkWnjMmgyWmS/2l7bUcCvE=; b=MYTTEWDMSihwE2qqM9kmARjpHzOL+Nlvx716RJvOH4K3/66/Pafa0WAVsn1mG6m3rV hAWOLEZedQmesD4rjJeOQ/pOlc/4sdntEYmjfGVyWDjaYewqmU18yd9PFYuhqSE56nZS yLq9VEsNIg50FaH8VySLaduY/sCSV1zhhtMyoHz1iYQhE98SNZmHXuEY2whnLlSYUvg9 nJYW4B6tJnkBkgBMb2jOuEaTlvxF5iE/OlWn8afr8aeiFQPINFY9XwFyUiyJoyK33cpO K5te2DvAN06PDGHLYEXMdtTd2X/TGQ089/hB7DGLI2hTsJKg4TLTKOkJZBZcwbzIZmLo 50pQ== X-Gm-Message-State: ALyK8tK2DbB71tvSdg7gFRpHuuhIhbXXZwiDaxeUc3rWqXBfUazVeVAF9cNsXCwBNYLoXw== X-Received: by 10.55.10.130 with SMTP id 124mr4998276qkk.91.1464199414352; Wed, 25 May 2016 11:03:34 -0700 (PDT) Received: from [192.168.1.5] (c-24-0-16-19.hsd1.nj.comcast.net. [24.0.16.19]) by smtp.gmail.com with ESMTPSA id r127sm2642199qkf.47.2016.05.25.11.03.33 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 25 May 2016 11:03:33 -0700 (PDT) From: Adonis Peralta Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Subject: ipfw fwd sends to port but also through gateway Message-Id: <9227BA17-B289-494D-8A82-603DB1B35457@gmail.com> Date: Wed, 25 May 2016 14:03:32 -0400 To: freebsd-ipfw@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) X-Mailer: Apple Mail (2.3124) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 May 2016 18:03:35 -0000 Hi all, I am noticing something weird in regards to ipfw forwarding when I am = attempting to set up squid web proxying.=20 Here is the info: ipfw rule: ipfw -q add fwd 127.0.0.1,8080 tcp from = 192.168.1.0/24{1-5,7-254} to any dst-port 80 in via igb0 //I exclude the = servers ip 192.168.1.6 here to prevent a loop Squid Proxy: running on localhost (127.0.0.1) port 8080. Freebsd box ip: 192.168.1.6 Router box: 192.168.1.1 Essentially when any ip (not my freebsd ip) makes a request to port 80 = my router will route that ip using policy based routing to my freebsd = box. Then the ipfw fwd rule above sends that traffic over to my squid = proxy port. This is working fine and the fwd rule above does definitely = match. However the issue Im seeing is that ipfw fwd not only sends the packet = out to the squid proxy but ALSO sends it out to the original destination = causing all sorts of issues for my client because it messes up the tcp = flow/handshaking. To be more clear what I see is when client 192.168.1.3 makes a request = on port 80=E2=80=A6 my freebsd box receives it.. then forwards it to = squid but also sends it out to the original destination so for every = packet coming to port 80 i see two going out.. To debug this problem a bit further I stopped squid, and setup "nc -l = 8080" to catch incoming requests via the fwd. Doing a tcpdump I see: 192.168.1.3.57653 > s3-us-west-1.amazonaws.com.http: Flags [S], cksum = 0x9385 (correct), seq 1939422713, win 65535, options [mss = 1460,nop,wscale 5,nop,nop,TS val 1149232947 ecr 0,sackOK,eol], length 0 13:14:16.209753 IP (tos 0x0, ttl 64, id 10951, offset 0, flags [DF], = proto TCP (6), length 60) s3-us-west-1.amazonaws.com.http > 192.168.1.3.57653: Flags [S.], = cksum 0xe4da (incorrect -> 0x8343), seq 3934654233, ack 1939422714, win = 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1794161828 ecr = 1149232947], length 0 Netcat catches the HTTP Get request (i can see it in netcats console).. = but the above tcpdump definitely tells me that the request was also sent = to to aws itself this is implied by the fact that aws responded back to = original ip (192.168.1.3). When I have squid running I see the same thing in the above tcpdump but = also communication between my freebsd box ip 192.168.1.6 and the = requested http site. Why is this happening? Is this a bug? -Adonis=