RE: socket call in the kernel
Yes, it works: [00:52:58][root@test2:~]$ telnet 127.0.0.1 8800 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. 12334 HTTP/1.1 302 Moved Date: Thu, 27 Dec 2001 00:53:18 PST Location: https://216.69.69.254/cgi-bin/login 0 Connection closed by foreign host. I found the problem is that the ipfw forwarding does not change the dst ip address, so that my redirection socket server can not read these fwd packet (since the dst ip is not correct). The solution can be change the ip_fw.c to modify dst ip address for the forwarding packet, but I do not know how to do it. It has next_hop for fwd. I do not know how to do packet manupunation in ip_fw.c's chk func. Thanks a lot. ** Henry Su * NTT MCL * ** On Wed, 26 Dec 2001, Julian Elischer wrote: > > > is your server binding to 216.115.102.75? > if you telnet to 127.0.0.1 does it work? > > > On Wed, 26 Dec 2001, Henry Su wrote: > > > Thanks a lot for your help. > > > > I add "log" into the rule, here's the log info. It seems it does forward or > > divert to localhost at port 8800. > > > > [18:10:13][root@test2:/var/log]$ tail -f security > > Dec 26 17:50:34 test2 last message repeated 2 times > > Dec 26 17:51:34 test2 last message repeated 6 times > > Dec 26 17:51:52 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > 216.69.69.248:1037 216.115.102.75:80 in via dc2 > > Dec 26 17:51:52 test2 /kernel: ipfw: limit 10 reached on entry 65534 > > Dec 26 17:59:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > 216.69.69.248:1041 216.115.102.81:80 in via dc2 > > Dec 26 17:59:55 test2 last message repeated 7 times > > Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > 216.69.69.248:1041 216.115.102.81:80 in via dc2 > > Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > 216.69.69.248:1042 216.115.102.77:80 in via dc2 > > Dec 26 18:00:45 test2 /kernel: ipfw: limit 10 reached on entry 65534 > > Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > 216.69.69.248:1048 216.115.102.82:80 in via dc2 > > Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > 216.69.69.248:1048 216.115.102.82:80 in via dc2 > > Dec 26 18:12:14 test2 last message repeated 7 times > > Dec 26 18:12:38 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > 216.69.69.248:1049 216.115.102.79:80 in via dc2 > > Dec 26 18:13:10 test2 last message repeated 7 times > > Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > 216.69.69.248:1049 216.115.102.79:80 in via dc2 > > Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > 216.69.69.248:1050 216.115.102.77:80 in via dc2 > > > > > > But my redirection server at port 8800 did not recv these packets somehow. I > > tried a telnet to the server at port 8800, it works very well. > > > > [18:16:00][henrysu@test1:~]$ telnet 216.69.69.254 8800 > > Trying 216.69.69.254... > > Connected to dhcp254.nttmcl.com. > > Escape character is '^]'. > > 1234 > > > > HTTP/1.1 302 Moved > > Date: Wed, 26 Dec 2001 18:15:11 PST > > Location: https://216.69.69.254/cgi-bin/login > > 0 > > > > > > Connection closed by foreign host. > > > > > > Do you have any clue, why the packet can not be received at port 8800. > > > > > > Thanks. > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Julian Elischer > > Sent: Wednesday, December 26, 2001 4:08 PM > > To: Henry Su > > Cc: [EMAIL PROTECTED] > > Subject: RE: socket call in the kernel > > > > > > > > > > > > > > On Wed, 26 Dec 2001, Henry Su wrote: > > > > > I tried your answer 1. It did not succeed. > > > > > > I have a rule to do forwarding: > > > > > > 655340 0 fwd 127.0.0.1,8800 tcp from any to any 80 > > > > > > and I have a server listenning on port 8800 at local host. > > > > > > I also modified the ip_fw.c to log forwarding packet: > > > > > > Dec 26 13:33:09 yarn /kernel: Forward packet: src_port:2414 > > > src_ip:-62569000 dst_port:80 dst_ip:1298559960 > > > Dec 26 13:33:15 yarn /kernel: Forward packet: src_port:2414 > > > src_ip:-62569000 dst_port:80 dst_ip:1298559960 > > > > why not just add a log entry to the rule? > > also your rule should be a lot more specific about where the packets > > should be coming from, > > > > e.g. recv in fxp0 > > (or similar) > > > > what do you get if you telnet to 80 and telnet to 8800? > > they should act the same. > > > > ipfw add 65534 fwd 127.0.0.1,8800 log from any to me 80 in recv fxp0 > > > > > > > > > > > > > > > My redirect server on port 8800 works perfect, I tried telnet, http etc on > > > 8800, it all works. I run my server @ port 8800 in debug mode, it did not > > > receive forwarded packet from ipfirewall. > > > > how are you forwarding the packet? > > > > > > > > I am running 4.5 prerelease, with ipfw and bridge, the bridge code had > > > problem earlier, I manully fixed according to the message from the group. > > > > > > Tha
Re: socket call in the kernel
On Thu, Dec 27, 2001 at 01:04:25AM -0800, Henry Su wrote: > Yes, it works: > > [00:52:58][root@test2:~]$ telnet 127.0.0.1 8800 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 12334 > > HTTP/1.1 302 Moved > Date: Thu, 27 Dec 2001 00:53:18 PST > Location: https://216.69.69.254/cgi-bin/login > 0 > > > Connection closed by foreign host. > > > I found the problem is that the ipfw forwarding does not change the dst ip > address, so that my redirection socket server can not read these > fwd packet (since the dst ip is not correct). The solution can be change > the ip_fw.c to modify dst ip address for the forwarding packet, but I do > not know how to do it. It has next_hop for fwd. I do not know how to do > packet manupunation in ip_fw.c's chk func. That's what I figured your problem was, but I never got around to asking for you to check it. 'fwd' rules _deliberately_ do not actually modify any data in the packet. You are looking for something more like NAT. natd(8) may be overkill for your needs. There are other, more lightweight TCP forwarders in the ports collection. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | [EMAIL PROTECTED] | [EMAIL PROTECTED] http://people.freebsd.org/~cjc/| [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: jail & ftp
On Wed, Dec 26, 2001 at 11:11:06PM -0500, alexus wrote: > Hello > > I'm not quite sure if I'm posting to right list but I'll try anyway, all > right here it goes.. > > I have set up jail and inside of this jail i run ftp (proftpd) using ipf i > was able to forward all traffic for port 21 and 20 to my jail cell, however > it only works if person uses PORT mode instead of PASV mode, many people > prefer/uses PASV mode. > > here is the question: > > does anyone knows or even is it possible to make it work in PASV mode > instead of PORT? Sure. Why are you using ipf(8) (well, I guess ipnat(8) actually) to forward connections to the jail? Why don't you give the jail the IP address that people are trying to connect to? This makes the NAT games unecessary. -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | [EMAIL PROTECTED] | [EMAIL PROTECTED] http://people.freebsd.org/~cjc/| [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: socket call in the kernel
yes, but there is no need to change the packet.. fwd will do exactly what he wants as soon as I can get the network topology worked out :-) On Thu, 27 Dec 2001, Crist J . Clark wrote: > On Thu, Dec 27, 2001 at 01:04:25AM -0800, Henry Su wrote: > > Yes, it works: > > > > [00:52:58][root@test2:~]$ telnet 127.0.0.1 8800 > > Trying 127.0.0.1... > > Connected to localhost. > > Escape character is '^]'. > > 12334 > > > > HTTP/1.1 302 Moved > > Date: Thu, 27 Dec 2001 00:53:18 PST > > Location: https://216.69.69.254/cgi-bin/login > > 0 > > > > > > Connection closed by foreign host. > > > > > > I found the problem is that the ipfw forwarding does not change the dst ip > > address, so that my redirection socket server can not read these > > fwd packet (since the dst ip is not correct). The solution can be change > > the ip_fw.c to modify dst ip address for the forwarding packet, but I do > > not know how to do it. It has next_hop for fwd. I do not know how to do > > packet manupunation in ip_fw.c's chk func. > > That's what I figured your problem was, but I never got around to > asking for you to check it. > > 'fwd' rules _deliberately_ do not actually modify any data in the > packet. You are looking for something more like NAT. natd(8) may be > overkill for your needs. There are other, more lightweight TCP > forwarders in the ports collection. > -- > "It's always funny until someone gets hurt. Then it's hilarious." > > Crist J. Clark | [EMAIL PROTECTED] >| [EMAIL PROTECTED] > http://people.freebsd.org/~cjc/| [EMAIL PROTECTED] > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
RE: socket call in the kernel
On Thu, 27 Dec 2001, Henry Su wrote: > Yes, it works: > > [00:52:58][root@test2:~]$ telnet 127.0.0.1 8800 > Trying 127.0.0.1... > Connected to localhost. > Escape character is '^]'. > 12334 > > HTTP/1.1 302 Moved > Date: Thu, 27 Dec 2001 00:53:18 PST > Location: https://216.69.69.254/cgi-bin/login > 0 > > > Connection closed by foreign host. > > > I found the problem is that the ipfw forwarding does not change the dst ip > address, so that my redirection socket server can not read these > fwd packet (since the dst ip is not correct). The solution can be change > the ip_fw.c to modify dst ip address for the forwarding packet, but I do > not know how to do it. It has next_hop for fwd. I do not know how to do > packet manupunation in ip_fw.c's chk func. You don't need to change the dest addr in the proxy server.. that's what fwd does, it FORCES the local socket to accept a packet to a foreign address. (believe it or not) I have a small patch that may help, but first, please draw your setup... which rules do you have on which machines? I've done this many times if it's not working it's because I do not understand your network correctly if on the server, you telnet to port 80 of the address in the forward rule in the ipfw list on your server (you need to have rules on both machines obviously) you should see your telnet redirected to port 8800 of the local machine, even if the address in the rule set is not a local address. please draw your network and I will give you a set of rules that work. julian > > Thanks a lot. > > > > ** > Henry Su * > NTT MCL * > ** > > On Wed, 26 Dec 2001, Julian Elischer wrote: > > > > > > > is your server binding to 216.115.102.75? > > if you telnet to 127.0.0.1 does it work? > > > > > > On Wed, 26 Dec 2001, Henry Su wrote: > > > > > Thanks a lot for your help. > > > > > > I add "log" into the rule, here's the log info. It seems it does forward or > > > divert to localhost at port 8800. > > > > > > [18:10:13][root@test2:/var/log]$ tail -f security > > > Dec 26 17:50:34 test2 last message repeated 2 times > > > Dec 26 17:51:34 test2 last message repeated 6 times > > > Dec 26 17:51:52 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > > 216.69.69.248:1037 216.115.102.75:80 in via dc2 > > > Dec 26 17:51:52 test2 /kernel: ipfw: limit 10 reached on entry 65534 > > > Dec 26 17:59:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > > 216.69.69.248:1041 216.115.102.81:80 in via dc2 > > > Dec 26 17:59:55 test2 last message repeated 7 times > > > Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > > 216.69.69.248:1041 216.115.102.81:80 in via dc2 > > > Dec 26 18:00:45 test2 /kernel: ipfw: 65534 Forward to 127.0.0.1:8800 TCP > > > 216.69.69.248:1042 216.115.102.77:80 in via dc2 > > > Dec 26 18:00:45 test2 /kernel: ipfw: limit 10 reached on entry 65534 > > > Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1048 216.115.102.82:80 in via dc2 > > > Dec 26 18:11:14 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1048 216.115.102.82:80 in via dc2 > > > Dec 26 18:12:14 test2 last message repeated 7 times > > > Dec 26 18:12:38 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1049 216.115.102.79:80 in via dc2 > > > Dec 26 18:13:10 test2 last message repeated 7 times > > > Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1049 216.115.102.79:80 in via dc2 > > > Dec 26 18:13:44 test2 /kernel: ipfw: 65534 Divert 8800 TCP > > > 216.69.69.248:1050 216.115.102.77:80 in via dc2 > > > > > > > > > But my redirection server at port 8800 did not recv these packets somehow. I > > > tried a telnet to the server at port 8800, it works very well. > > > > > > [18:16:00][henrysu@test1:~]$ telnet 216.69.69.254 8800 > > > Trying 216.69.69.254... > > > Connected to dhcp254.nttmcl.com. > > > Escape character is '^]'. > > > 1234 > > > > > > HTTP/1.1 302 Moved > > > Date: Wed, 26 Dec 2001 18:15:11 PST > > > Location: https://216.69.69.254/cgi-bin/login > > > 0 > > > > > > > > > Connection closed by foreign host. > > > > > > > > > Do you have any clue, why the packet can not be received at port 8800. > > > > > > > > > Thanks. > > > > > > -Original Message- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]]On Behalf Of Julian Elischer > > > Sent: Wednesday, December 26, 2001 4:08 PM > > > To: Henry Su > > > Cc: [EMAIL PROTECTED] > > > Subject: RE: socket call in the kernel > > > > > > > > > > > > > > > > > > > > > On Wed, 26 Dec 2001, Henry Su wrote: > > > > > > > I tried your answer 1. It did not succeed. > > > > > > > > I have a rule to do forwarding: > > > > > > > > 655340 0 fwd 127.0.0.1,8800 tcp from any to any 80 > > > > > > > > and I have a server listenning on port 8800 at local host. > > > > > > > > I also modified the ip_fw.c to log forwarding packet: > > > > > > > > Dec 26
RE: socket call in the kernel
Thanks a lot Julian. Please let me know if u need more info.
My goal is using test2 as authentication server, when http request pass
through test2 box, test2 will redirect to an authentication url on itself.
__ ___
| |crossover cable | |
|test1|>| test2(ipfw,proxy)|-->router->Internet
|_| |__|
test2 has ipfw and a proxy server for redirection, it is configured as a
bridge, one interface has ip address, one interface does not, which test1 is
connected to.
The rule for forwarding is:
#Forward no valid http packet to local authentication
${fwcmd} add 65534 fwd localhost,8800 log tcp from any to any 80
For example, here's 2 cases, one works, one failed.
Failed case: from test1, "telnet www.yahoo.com 80", from the test2 ipfw log,
you can see the packet is forwarded (e.g "Dec 27 00:34:25 test2 /kernel:
ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1101
129.219.10.10:80 in via dc2").
but the proxy server on test2 seems did not get the forwarded packet.
Worked case: from test1, "telnet test2 80", it just works. The proxy server
got the packet, and send redirection message to test1: "
> HTTP/1.1 302 Moved
> Date: Thu, 27 Dec 2001 00:53:18 PST
> Location: https://216.69.69.254/cgi-bin/login
> 0
>
>
> Connection closed by foreign host.
"
My guess is:
The proxy socket server can only listen to packet's dst ip address that
matches its own ip address. The proxy server is written by myself, it's java
socket server, when it receive any packet at port 8800, it sends back some
http redirection
information.
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
Re: FXP Bundling on a STL2
In article you write: >I noticed that the FXP built in to my STL2 motherboards seem to get have no >difference on 4.5-PRERELEASE wether bundling is on or off, but an external >FXP PCI card does begin to have a difference when receiving ~1000 pps (about >half the interrupts). >Does the STL2 FXP not support bundling? Check /var/log/messages. If there is a line that says "Microcode loaded...", then the board is successfully running the new microcode, otherwise your variant is not supported. (either no ucode, or hardware doesn't support it) -- Jonathan To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: FXP Bundling on a STL2
dmesg says: fxp0: Microcode loaded, int_delay: 1000 usec bundle_max: 6 fxp1: Microcode loaded, int_delay: 1000 usec bundle_max: 6 But it only appears to do anything on the fxp1 (the external one) >From systat -vm: ~3000 interrupts ~500 interrupts from netstat -I fxp0 -in 1: input ~3000 packets per second from netstat -I fxp1 -in 1: input ~1700 packets per second --Phil - Original Message - From: "Jonathan Lemon" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, December 27, 2001 1:15 PM Subject: Re: FXP Bundling on a STL2 > In article you write: > >I noticed that the FXP built in to my STL2 motherboards seem to get have no > >difference on 4.5-PRERELEASE wether bundling is on or off, but an external > >FXP PCI card does begin to have a difference when receiving ~1000 pps (about > >half the interrupts). > >Does the STL2 FXP not support bundling? > > Check /var/log/messages. If there is a line that says "Microcode loaded...", > then the board is successfully running the new microcode, otherwise your > variant is not supported. (either no ucode, or hardware doesn't support it) > -- > Jonathan > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
RE: socket call in the kernel
On Thu, 27 Dec 2001, Henry Su wrote:
> Thanks a lot Julian. Please let me know if u need more info.
>
>
> My goal is using test2 as authentication server, when http request pass
> through test2 box, test2 will redirect to an authentication url on itself.
>
> _ ___
> | |crossover cable | |
> |test1|>|test2(ipfw,proxy) |->router->Internet
> |_| |__|
X.1.1.3 X.1.1.2
>
>
> test2 has ipfw and a proxy server for redirection, it is configured as a
> bridge, one interface has ip address, one interface does not, which test1 is
> connected to.
Assume dc1 on the router side of test2
and dc2 on the crossover side of test2
is the router doing nat?
is X.x.x.x. a routable address?
I presume that X.1.1.3 AND X.1.1.2 are on the same logical net.
Are they both routable addresses?
firstly, bridging is a new factor. you didn't mention that before..
I am not sure how bridging will interract with everything else.
What does netstat -aA show on test2? Is the server bound to an address?
i.e. do you bind() the server to a particular address?
if so which?
Why are you bridging?
do you want people on test1 to authenticate, or people coming in from the
internet? (you need to specify what you want to redirect..)
>
>
> The rule for forwarding is:
>
> #Forward no valid http packet to local authentication
> ${fwcmd} add 65534 fwd localhost,8800 log tcp from any to any 80
>
>
>
> For example, here's 2 cases, one works, one failed.
>
> Failed case: from test1, "telnet www.yahoo.com 80", from the test2 ipfw log,
> you can see the packet is forwarded (e.g "Dec 27 00:34:25 test2 /kernel:
> ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1101
> 129.219.10.10:80 in via dc2").
> but the proxy server on test2 seems did not get the forwarded packet.
>
> Worked case: from test1, "telnet test2 80", it just works. The proxy server
> got the packet, and send redirection message to test1: "
I wonder if someone has broken fwd?
if you do the following:
on test2, telnet localhost 80
and
telnet www.freebsd.org 80
what happens?
>
> My guess is:
>
> The proxy socket server can only listen to packet's dst ip address that
> matches its own ip address. The proxy server is written by myself, it's java
> socket server, when it receive any packet at port 8800, it sends back some
> http redirection
> information.
>
No the address that the server will be matched against is the
address in the fwd rule, and not the address in the packet.
roughly it does:
tempaddr = address_from_packet
if (ipfw matches a fwd rule)
tempaddr = address_in_rule
find socket that matches tempaddr.
It could be that the bridging is somehow confusing the forwarding..
>
>
>
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message
>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
RE: socket call in the kernel
**
Henry Su *
NTT MCL *
**
On Thu, 27 Dec 2001, Julian Elischer wrote:
>
>
>
>
> On Thu, 27 Dec 2001, Henry Su wrote:
>
> > Thanks a lot Julian. Please let me know if u need more info.
> >
> >
> > My goal is using test2 as authentication server, when http request pass
> > through test2 box, test2 will redirect to an authentication url on itself.
> >
> > _ ___
> > | |crossover cable | |
> > |test1|>|test2(ipfw,proxy) |->router->Internet
> > |_| |__|
> X.1.1.3 X.1.1.2
>
>
> >
> >
> > test2 has ipfw and a proxy server for redirection, it is configured as a
> > bridge, one interface has ip address, one interface does not, which test1 is
> > connected to.
>
> Assume dc1 on the router side of test2
> and dc2 on the crossover side of test2
That's good one.
> is the router doing nat?
No.
> is X.x.x.x. a routable address?
Yes
> I presume that X.1.1.3 AND X.1.1.2 are on the same logical net.
> Are they both routable addresses?
>
Yes
> firstly, bridging is a new factor. you didn't mention that before..
> I am not sure how bridging will interract with everything else.
>
> What does netstat -aA show on test2? Is the server bound to an address?
> i.e. do you bind() the server to a particular address?
> if so which?
>
> Why are you bridging?
>
Because gateway needs ip on each interface, we do not want to do that. We
want only assign 1 ip on test2.
> do you want people on test1 to authenticate, or people coming in from the
> internet? (you need to specify what you want to redirect..)
>
people on test1. Assume test2 is access control server, test is a client
that want to get access.
>
> >
> >
> > The rule for forwarding is:
> >
> > #Forward no valid http packet to local authentication
> > ${fwcmd} add 65534 fwd localhost,8800 log tcp from any to any 80
> >
> >
> >
> > For example, here's 2 cases, one works, one failed.
> >
> > Failed case: from test1, "telnet www.yahoo.com 80", from the test2 ipfw log,
> > you can see the packet is forwarded (e.g "Dec 27 00:34:25 test2 /kernel:
> > ipfw: 65534 Forward to 127.0.0.1:8800 TCP 216.69.69.248:1101
> > 129.219.10.10:80 in via dc2").
> > but the proxy server on test2 seems did not get the forwarded packet.
> >
> > Worked case: from test1, "telnet test2 80", it just works. The proxy server
> > got the packet, and send redirection message to test1: "
>
> I wonder if someone has broken fwd?
> if you do the following:
> on test2, telnet localhost 80
> and
> telnet www.freebsd.org 80
>
> what happens?
>
[16:14:38][root@test2:~]$ telnet localhost 80
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
telnet: Unable to connect to remote host
[16:14:41][root@test2:~]$ telnet www.freebsd.org 80
Trying 216.136.204.21...
Connected to freefall.freebsd.org.
Escape character is '^]'.
123
501 Method Not Implemented
Method Not Implemented
123 to /index.html not supported.
Invalid method in request 123
Apache/1.3.x Gualala Server at www.freebsd.org Port 80
Connection closed by foreign host.
> >
> > My guess is:
> >
> > The proxy socket server can only listen to packet's dst ip address that
> > matches its own ip address. The proxy server is written by myself, it's java
> > socket server, when it receive any packet at port 8800, it sends back some
> > http redirection
> > information.
> >
>
> No the address that the server will be matched against is the
> address in the fwd rule, and not the address in the packet.
>
> roughly it does:
>
> tempaddr = address_from_packet
> if (ipfw matches a fwd rule)
> tempaddr = address_in_rule
> find socket that matches tempaddr.
>
> It could be that the bridging is somehow confusing the forwarding..
>
That's right. Does a socket server care about a packet's dst ip? If a
packet's dst ip is not matched, the proxy server will drop it?
Thanks.
>
> >
> >
> >
> >
> > To Unsubscribe: send mail to [EMAIL PROTECTED]
> > with "unsubscribe freebsd-net" in the body of the message
> >
>
>
> To Unsubscribe: send mail to [EMAIL PROTECTED]
> with "unsubscribe freebsd-net" in the body of the message
>
>
>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message
RE: socket call in the kernel
Hi, Julian: Here's all the rules that I am using: [17:13:59][root@test2:~]$ ipfw show 001000 0 allow ip from any to any via lo0 002000 0 deny ip from any to 127.0.0.0/8 003000 0 deny ip from 127.0.0.0/8 to any 004000 0 allow udp from 0.0.0.0 2054 to 0.0.0.0 00500 1159 71707 allow ip from any to 216.69.69.254 00600 946 72546 allow ip from 216.69.69.254 to any 007000 0 allow udp from any 67 to any 68 00800 16 4416 allow udp from any 68 to any 67 00900 20 1229 allow udp from any to 216.69.68.197 53 00910 20 4695 allow udp from 216.69.68.197 53 to any 65533 39 2034 fwd 127.0.0.1,8800 log logamount 100 tcp from any to any 80 65535 393 35800 deny ip from any to any To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Why is my ipfw(8) ``fwd'' rule to redirect a service to another machine not working?
http://www.unixguide.net/freebsd/faq/09.20.shtml Is there a way to configure your machine not drop these packets? To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
RE: socket call in the kernel
put the forward rule as rule 50 and see what happens. On Thu, 27 Dec 2001, Henry Su wrote: > Hi, Julian: > > > Here's all the rules that I am using: > > [17:13:59][root@test2:~]$ ipfw show > 001000 0 allow ip from any to any via lo0 > 002000 0 deny ip from any to 127.0.0.0/8 > 003000 0 deny ip from 127.0.0.0/8 to any > 004000 0 allow udp from 0.0.0.0 2054 to 0.0.0.0 > 00500 1159 71707 allow ip from any to 216.69.69.254 > 00600 946 72546 allow ip from 216.69.69.254 to any > 007000 0 allow udp from any 67 to any 68 > 00800 16 4416 allow udp from any 68 to any 67 > 00900 20 1229 allow udp from any to 216.69.68.197 53 > 00910 20 4695 allow udp from 216.69.68.197 53 to any > 65533 39 2034 fwd 127.0.0.1,8800 log logamount 100 tcp from any to any 80 > 65535 393 35800 deny ip from any to any > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
RE: socket call in the kernel
Same thing, it only works for telneting to test2:80 for test1. -Original Message- From: Julian Elischer [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 27, 2001 5:31 PM To: Henry Su Cc: [EMAIL PROTECTED] Subject: RE: socket call in the kernel put the forward rule as rule 50 and see what happens. On Thu, 27 Dec 2001, Henry Su wrote: > Hi, Julian: > > > Here's all the rules that I am using: > > [17:13:59][root@test2:~]$ ipfw show > 001000 0 allow ip from any to any via lo0 > 002000 0 deny ip from any to 127.0.0.0/8 > 003000 0 deny ip from 127.0.0.0/8 to any > 004000 0 allow udp from 0.0.0.0 2054 to 0.0.0.0 > 00500 1159 71707 allow ip from any to 216.69.69.254 > 00600 946 72546 allow ip from 216.69.69.254 to any > 007000 0 allow udp from any 67 to any 68 > 00800 16 4416 allow udp from any 68 to any 67 > 00900 20 1229 allow udp from any to 216.69.68.197 53 > 00910 20 4695 allow udp from 216.69.68.197 53 to any > 65533 39 2034 fwd 127.0.0.1,8800 log logamount 100 tcp from any to any 80 > 65535 393 35800 deny ip from any to any > > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: Why is my ipfw(8) ``fwd'' rule to redirect a service to anothermachine not working?
I have a patch that fixes that On Thu, 27 Dec 2001, Henry Su wrote: > > http://www.unixguide.net/freebsd/faq/09.20.shtml > > Is there a way to configure your machine not drop these packets? > > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-net" in the body of the message > To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
dummynet for IPv6?
Hi All, Is there any implementation for ipv6 based dummynet? Another related question, I'm using dummynet for bandwidth control. I want the bandwidth control can be applied to all ethernet packets(ip/icmp v4/v6). If dummynet is ipv6-unawareness, how can I achieve this? Could anyone please give some suggestion? Regards, G. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
Re: Why is my ipfw(8) ``fwd'' rule to redirect a service to another machine not working?
On Thu, Dec 27, 2001 at 05:42:16PM -0800, Henry Su wrote: > > http://www.unixguide.net/freebsd/faq/09.20.shtml > > Is there a way to configure your machine not drop these packets? I wrote that FAQ entry for people directing packets to another machine. When you are forwarding the packets to 127.0.0.1, the local machine, it is not an issue. The packets will be "accepted" by the system. (But that doesn't mean the application will behave well.) -- "It's always funny until someone gets hurt. Then it's hilarious." Crist J. Clark | [EMAIL PROTECTED] | [EMAIL PROTECTED] http://people.freebsd.org/~cjc/| [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message
