Date: Fri, 11 Feb 2005 06:34:24 +0200 From: Ian FREISLICH <if@hetzner.co.za> To: Chris Knipe <savage@savage.za.org> Cc: Kelly Yancey <kbyanc@posi.net> Subject: Re: ipfw fwd Message-ID: <E1CzSVc-000NNV-00@hetzner.co.za> In-Reply-To: Message from "Chris Knipe" <savage@savage.za.org> <004e01c50f56$ce47c020$0a01a8c0@ops.cenergynetworks.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Chris Knipe" wrote: > >> 00400 0 0 allow tcp from 198.19.0.36 to any dst-port 80 > >> 00401 12 652 allow tcp from 198.19.0.35 to any dst-port 25 > >> 00402 13 668 fwd 198.19.0.36,3128 tcp from 198.19.0.32/27 to > >> any > >> dst-port 80 > >> 00403 2 120 fwd 198.19.0.35,25 tcp from 198.19.0.32/27 to any > >> dst-port 25 > >> > >> > >> However, packets that are forwarded, never connects to the > >> destination where it is forwarded to. And yes, I did check the > >> obvious, everything is up and running.... Is there some sysctl > >> magic or something required to make this work? I can fwd without > >> a problem to the SAME BOX, but I cannot seem to get it to work to > >> fwd to remote machines. In case someone is wondering, this is for > >> transparent proxy / smtp servers. > > > > I don't suppose you're getting bitten by: > > > > "The fwd action does not change the contents of the packet at > > all. In particular, the destination address remains unmodified, so > > packets forwarded to another system will usually be rejected by that > > system unless there is a matching rule on that system to capture > > them." > > > > The ipfw(8) man page is a little vague with the phrasing "matching > > rule on that system to capture them". Normally systems don't > > process packets locally that are not destined for it. You can use > > tcpdump on the remote box to verify for yourself that the fwd is > > working correctly and that the remote box is receiving the packets. > > The remote box just doesn't know what to do with the packets it is > > receiving. > > I never even saw this before in the man page... I'll have to look > a bit closer. I did check prior to posting (sorry, I should have > mentioned), no packets are picked up on the host that I forward to... I think that you might need to set net.inet.ip.forwarding=1 on the server that you're forwarding the packets to. Unless this is turned on, the server won't act as a router and unless it's a router it won't accept packets that do not are not for it to forward them on. Ian -- Ian Freislich
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E1CzSVc-000NNV-00>