Date: Tue, 23 Jan 2018 14:01:07 -0700 From: Alan Somers <asomers@freebsd.org> To: Eugene Grosbein <eugen@grosbein.net> Cc: "Andrey V. Elsukov" <bu7cher@yandex.ru>, FreeBSD Net <freebsd-net@freebsd.org>, Kristof Provost <kp@freebsd.org> Subject: Re: pf: redirect a packet's port but not its address? Message-ID: <CAOtMX2h%2BU82k6%2BB_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA@mail.gmail.com> In-Reply-To: <5A6781E9.5060405@grosbein.net> References: <CAOtMX2j80odQ7%2Bt3eiFfyV-B5AU0deeNFU1HLwAf05fL8nJZhA@mail.gmail.com> <a4eef32f-0446-43d7-3291-8034423122f0@yandex.ru> <CAOtMX2jroiz57KyQZUk%2B4aW4=_1m=Qs7wEP=_3pEVL%2BE2jg22A@mail.gmail.com> <759792be-189f-bdaf-04c9-b01d26fa9e00@yandex.ru> <CAOtMX2i3ZPM8TjHQvSj6tSjjDCEQhD2jqJkb6jZCMh3VjK_nUg@mail.gmail.com> <5A6781E9.5060405@grosbein.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jan 23, 2018 at 11:41 AM, Eugene Grosbein <eugen@grosbein.net> wrote: > 24.01.2018 1:26, Alan Somers wrote : > > >> # ipfw add fwd ::1,5678 tcp from any to any 4000 > >> # nc -6 -l ::1 5678 > >> > >> And from another host tried: > >> # telnet -6 fc00::1 4000 > >> > >> And this works. > >> > > > > This does not work for me. When I try, tcpdump shows that the host > running > > ipfw returns an RST packet when it receives a SYN for port 4000. That > > sounds like the fwd rule isn't working. And it's probably not working > > because I'm a total ipfw n00b. Is there anything else I need to > configure > > in ipfw first? My rc.conf file looks like: > > > > firewall_enable="YES" > > firewall_type="open" > > ipfw rules are always numbered and while ipfw allows you to not specify > rule number > when adding, it is wise to always specify it, or else it adds rules to the > end of the list > and that is not what you want dealing with pre-defined "open" ruleset. > > In short, use "ipfw add 2000 fwd ::1,5678 tcp from any to any 4000" > Use "ipfw show" to check it out before and after running this command Thanks. It works now, at least for global addresses. But the fwd rule does not work for link-local addresses. When I try, the ACK packet gets dropped because it violates IPv6 scope rules. A custom dtrace probe shows that ipfw is apparently not setting the embedded scope identifier on the forwarded packet. The address should be "fe80:2:0:0:215:17ff:fee9:3079" but it's actually "fe80:0:0:0:215:17ff:fee9:3079". This is similar to the problems I ran into with pf. In fact, I never did get pf working with link-local addresses either. -Alan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOtMX2h%2BU82k6%2BB_0QXQJXwgs2z-NyzJ28Y5MwL5k2Xp0hhLFA>