At 11:25 PM 12/30/2005, Robert Collins wrote:
----- Original Message ----- From: "Glenn Dawson" <[EMAIL PROTECTED]>
To: "Robert Collins" <[EMAIL PROTECTED]>;
<freebsd-questions@freebsd.org>
Sent: Saturday, December 31, 2005 1:46 AM
Subject: Re: forwarding http requests with ipfw
At 10:34 PM 12/30/2005, Robert Collins wrote:
At 09:07 PM 12/30/2005, Robert Collins wrote:
I've got a situation where I've got an internal host using a
private ip/domainname. Let's say for the sake of this discussion
the host is privatehost.internal.freebsd.org. privatehost isn't
running a webserver. But I would like machines on the
internal.freebsd.org network to query privatehost as if it was.
When one of these machines queries privatehost I would like
privatehost to forward those requests to my webserver,
www.freebsd.org, so that it can handle the request. In order to
accomplish that I have done the following:
My kernel was compiled with these options:
options IPFIREWALL
options IPFIREWALL_FORWARD
options IPFIREWALL_FORWARD_EXTENDED
"ipfw list" looks like this:
00100 allow ip from any to any via lo0
00110 deny ip from any to 127.0.0.0/8
00120 deny ip from 127.0.0.0/8 to any
10000 fwd 216.136.204.117 tcp from any to me dst-port 80
65000 allow ip from any to any
65535 deny ip from any to any
The problem I am having is that it seems the packets never leave
privatehost. tcpdump shows packets coming in destined for port
80. "ipfw show" shows that packets are matching my rule, but
tcpdump never shows any packets going out to 216.136.204.117.
tcpdump on 216.136.204.117 also shows that no packets are being
recieved. I did a tcpdump on lo0 just for kicks, and that didn't
show anything. It seems as if the packets are just disappearing.
Someone on #freebsdhelp suggested doing a "sysctl -w
net.inet.ip.forwarding=1" but that didn't help the situation. Is
there something minor I'm missing here...or am I totally off in
my understanding of how "ipfw fwd" works?
To quote the ipfw man page:
"The fwd action does not change the contents of the packet at
all. In particular, the destination address remains unmodified,
so packets forwarded to another system will usually be rejected
by that system unless there is a matching rule on that system to capture them."
You probably need to re-think what you are trying to do.
My understanding of this portion of the man page is that the
machine receiving the packet, in this case www.freebsd.org, needs
to be prepared to recive a packet whose destination address is not
it's own. If I am correct in my interpretation then this part of
the man page is irrelivent to my problem. My question is not, why
is www.freebsd.org not receiving the packet. My question is, why
is privatehost.internal.freebsd.org not sending the packet.
What tcpdump rules are you using to look for packets leaving
"privatehost"? Same question for packets arriving at 216.136.204.117?
On both machines I tried "tcpdump -n port 80". "privatehost" says:
02:15:32.542383 IP 10.1.35.10.1732 > 10.1.35.72.80: S
2200576146:2200576146(0) win 65535 <mss 1460,nop,nop,sackOK>
There is no output for 216.136.204.117. I've also tried " tcpdump -n
host 216.136.204.117" on privatehost. That rule doesn't produce any output.
What's happening here is that since the dest address is not changed,
the packet never leaves the machine with the fwd rule.
If you want to see it, make your fwd rule look like this:
fwd 216.136.204.117 log tcp from any to me dst-port 80
then tail -f /var/log/security when you try to browse to "privatehost".
-Glenn
-rcollins
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
