>Number: 163873
>Category: kern
>Synopsis: ipfw fwd does not work with 'via interface' in rule body
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jan 06 21:10:09 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Greg Radzykewycz
>Release: 8.2-RELEASE
>Organization:
Inland Networks
>Environment:
FreeBSD pandora.inlandnet.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0: Wed Dec 21
09:06:00 PST 2011
r...@pandora.inlandnet.com:/usr/src/sys/i386/compile/PANDORA i386
>Description:
This PR may be related to the following PRs.
kern/129036
kern/122963
In upgrading a firewall from FreeBSD 4.11 to 8.2 there was a problem with the
firewall not forwarding DNS queries to a DNS proxy server running on another
box. The firewall rules were identical between 4.11 and 8.2. Sample rule
follows.
${fwcmd} add fwd ${dnsproxy} udp from any to ${atldns1} domain in via ${iif1}
While this worked on 4.11, it did not on 8.2.
After a Google search turned up nothing pertinent, testing different variations
of the firewall rule was done. The box was taken out of service and
reconfigured for testing. Testing was done with TCP for simplicity.
The following worked.
ipfw add 350 fwd 192.168.0.10 tcp from any to 10.10.10.10 53
With tcpdump running on 192.168.0.10, packets to 10.10.10.10 TCP port 53 were
seen when the command "telnet 10.10.10.10 53" was run on the firewall box.
The following did not work.
ipfw add 350 fwd 192.168.0.10 tcp from any to 10.10.10.10 53 via em0
Interface em0 was the only interface connected and configured at the time and
also was the default route (192.168.0.1). Any external IP traffic would pass
through em0 regardless. Doing the same test with tcpdump running on
192.168.0.10, packets to 10.10.10.10 TCP port 53 were not seen on 192.168.0.10
when the command "telnet 10.10.10.10 53" was run on the firewall box.
The firewall box was reconfigured for production use. The firewall rules
associated with proxying DNS requess were all changed to remove 'in via ${iif}'
and the box was put back in service. Without the 'in via' in the rules, it
functioned as expected proxying the DNS queries.
>How-To-Repeat:
See description. The problem was consistent and repeatable.
>Fix:
Unknown.
>Release-Note:
>Audit-Trail:
>Unformatted:
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
