From owner-freebsd-ipfw@FreeBSD.ORG  Wed Nov 28 02:29:07 2007
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A8ADB16A417
	for <freebsd-ipfw@freebsd.org>; Wed, 28 Nov 2007 02:29:07 +0000 (UTC)
	(envelope-from swun2010@gmail.com)
Received: from nz-out-0506.google.com (nz-out-0506.google.com [64.233.162.225])
	by mx1.freebsd.org (Postfix) with ESMTP id 6A79513C467
	for <freebsd-ipfw@freebsd.org>; Wed, 28 Nov 2007 02:29:07 +0000 (UTC)
	(envelope-from swun2010@gmail.com)
Received: by nz-out-0506.google.com with SMTP id l8so880732nzf
	for <freebsd-ipfw@freebsd.org>; Tue, 27 Nov 2007 18:29:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	bh=6InKrk6JFmoYL3x7JcIz1qgNEDhsXi+B1p+JDM4U/Uk=;
	b=hBbVT0MvBfL27snwOih9bOSIFhCoeX35CTZpxr4q1m0MSdRElkGwCE0s1P5phY6/LH4z2/Yjea9f9gJiaGmDrR/sttt206HA+cPPchYXhh4EPrPuIRBrMmigVmZk4I1CEhx7TOcxuTibFmwoa32tzNtrsHcqRHVCZKVqmx1uZ0g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition;
	b=DbcdzcO6VQrFDqJH85SIC5CiULikJptzBtDkyif124QxpSEKZPvwlBD4bBcoBKfnR20mUD+5e/+sUvlzBpOx10SZz3ZZXzzWmAuQRvo0oieFUklO3WHQUTAeKrbmGvJCWm/iYBR6mDSvogugOT48yHkZ61PI14/lwNa80VX8kTE=
Received: by 10.114.157.1 with SMTP id f1mr32505wae.1196215409932;
	Tue, 27 Nov 2007 18:03:29 -0800 (PST)
Received: by 10.115.17.14 with HTTP; Tue, 27 Nov 2007 18:03:29 -0800 (PST)
Message-ID: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com>
Date: Wed, 28 Nov 2007 13:03:29 +1100
From: "Sam Wun" <swun2010@gmail.com>
To: freebsd-ipfw@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Subject: ipfw forwarding doesn't work - for more than 2 months. --- please
	help
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Nov 2007 02:29:07 -0000

Hi,

I setup the following ipfw rules in freebsd 6.2:
belmore# ipfw list
00001 allow udp from any to any dst-port 500
00001 allow esp from any to any
00001 allow esp from any to any
00001 allow ipencap from any to any
00001 allow ipencap from any to any
00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in
00040 allow tcp from any to 220.233.24.213 dst-port 80 in
00041 allow tcp from 192.168.1.222 to any out
00050 divert 8668 ip4 from any to any via tun0
00100 allow ip from any to any via lo0
00150 allow ip from any to any via rl1
00200 deny ip from any to 127.0.0.0/8
00250 allow ip from any to any via lo0
00300 deny ip from 127.0.0.0/8 to any
00350 allow ip from any to any via gif* keep-state
00450 allow udp from any to any dst-port 53 in keep-state
00550 allow tcp from any to any dst-port 22 in keep-state
00650 allow udp from any to any dst-port 1080-60000 in setup keep-state
00750 allow tcp from any to any dst-port 1080-60000 in keep-state
00850 allow tcp from any to 220.233.24.213 dst-port 80 in via tun0
setup keep-state
00950 allow tcp from 220.233.24.213 to any out via tun0 setup keep-state
01050 allow tcp from any to any out keep-state
65000 allow ip from any to any
65535 allow ip from any to any

I don't know what is wrong that the freebsd server (6.2) can't
redirect/forward http request to an internal server (web server -
192.168.1.222).

Can anyone please give suggestion to modify this rules?
Or can you please post your workable ipfw rules that achieved the same goal?

Thanks
S