problem with fwd rule

Fri Nov 21 13:22:06 PST 2003

On Tue, Nov 18, 2003 at 09:06:33PM -0500, Mathieu Vaillancourt wrote:
[snip]

> more specificly, using 'fwd' on incoming packets from the internal
> networks, with a rule like:
> 
> fwd ISP2_GATEWAY ip from INTERNAL_IP_X to any in via INTERNAL_IF
> 
> and after that hoping to catch the packet again on the external
> interface to divert it to natd.
> 
> what happens is that the packet goes through the fwd rule, and never
> come back to the firewall, so ISP2_GATEWAY receive a packet with an
> internal(private) return address.
> 
> in the above discussion the author seemed to say that the fowarding
> of incoming packet was just included recently (in 2002).
> is anyone knows if i have to setup a sysctl for that or some compile
> options?

'fwd'ed packets do not go through ipfw(8) processing on the way
out. Look in ip_output.c,

	/*
	 * Check with the firewall...
	 * but not if we are already being fwd'd from a firewall.
	 */
	if (fw_enable && IPFW_LOADED && !args.next_hop) {

The args.next_hop variable is non-NULL for a 'fwd'ed packet.

You can 'fwd' incoming packets now, but you can think of that as being
pretty much the end of the story; 'fwd'ed packets head straight out of
the system without further IP hacks.

You'll have to rewrite your ruleset so that the 'fwd' happens after
the packets go to natd(8).
-- 
Crist J. Clark                     |     cjclark at alum.mit.edu
                                   |     cjclark at jhu.edu
http://people.freebsd.org/~cjc/    |     cjc at freebsd.org