kern/163873: ipfw fwd does not work with 'via interface' in
rule body
Коньков Евгений
kes-kes at yandex.ru
Fri Jan 6 21:30:13 UTC 2012
The following reply was made to PR kern/163873; it has been noted by GNATS.
From: =?windows-1251?B?yu7t/Oru4iDF4uPl7ejp?= <kes-kes at yandex.ru>
To: Greg Radzykewycz <fbsdpr at inlandnet.com>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: kern/163873: ipfw fwd does not work with 'via interface' in rule body
Date: Fri, 6 Jan 2012 23:25:27 +0200
Çäðàâñòâóéòå, Greg.
Âû ïèñàëè 6 ÿíâàðÿ 2012 ã., 23:07:40:
>>Number: 163873
>>Category: kern
>>Synopsis: ipfw fwd does not work with 'via interface' in rule body
>>Confidential: no
>>Severity: non-critical
>>Priority: low
>>Responsible: freebsd-bugs
>>State: open
>>Quarter:
>>Keywords:
>>Date-Required:
>>Class: sw-bug
>>Submitter-Id: current-users
>>Arrival-Date: Fri Jan 06 21:10:09 UTC 2012
>>Closed-Date:
>>Last-Modified:
>>Originator: Greg Radzykewycz
>>Release: 8.2-RELEASE
>>Organization:
GR> Inland Networks
>>Environment:
GR> FreeBSD pandora.inlandnet.com 8.2-RELEASE FreeBSD 8.2-RELEASE #0:
GR> Wed Dec 21 09:06:00 PST 2011
GR> root at pandora.inlandnet.com:/usr/src/sys/i386/compile/PANDORA i386
>>Description:
GR> This PR may be related to the following PRs.
GR> kern/129036
GR> kern/122963
GR> In upgrading a firewall from FreeBSD 4.11 to 8.2 there was a
GR> problem with the firewall not forwarding DNS queries to a DNS
GR> proxy server running on another box. The firewall rules were
GR> identical between 4.11 and 8.2. Sample rule follows.
GR> ${fwcmd} add fwd ${dnsproxy} udp from any to ${atldns1} domain in via ${iif1}
try to add before your rule this one:
${fwcmd} add log fwd ${dnsproxy} udp from any to ${atldns1} domain
and see /var/log/security to obtain how kernel see that packet
Also notice that when you receive 'via rl0' and you try to fwd to
address that is reachable on rl3 the packet will have state 'out xmit rl3'
and not 'via rl0', as you expect, maybe.
GR> While this worked on 4.11, it did not on 8.2.
GR> After a Google search turned up nothing pertinent, testing
GR> different variations of the firewall rule was done. The box was
GR> taken out of service and reconfigured for testing. Testing was done with TCP for simplicity.
GR> The following worked.
GR> ipfw add 350 fwd 192.168.0.10 tcp from any to 10.10.10.10 53
GR> With tcpdump running on 192.168.0.10, packets to 10.10.10.10 TCP
GR> port 53 were seen when the command "telnet 10.10.10.10 53" was run on the firewall box.
GR> The following did not work.
GR> ipfw add 350 fwd 192.168.0.10 tcp from any to 10.10.10.10 53 via em0
GR> Interface em0 was the only interface connected and configured at
GR> the time and also was the default route (192.168.0.1). Any
GR> external IP traffic would pass through em0 regardless. Doing the
GR> same test with tcpdump running on 192.168.0.10, packets to
GR> 10.10.10.10 TCP port 53 were not seen on 192.168.0.10 when the
GR> command "telnet 10.10.10.10 53" was run on the firewall box.
GR> The firewall box was reconfigured for production use. The
GR> firewall rules associated with proxying DNS requess were all
GR> changed to remove 'in via ${iif}' and the box was put back in
GR> service. Without the 'in via' in the rules, it functioned as
GR> expected proxying the DNS queries.
>>How-To-Repeat:
GR> See description. The problem was consistent and repeatable.
>>Fix:
GR> Unknown.
>>Release-Note:
>>Audit-Trail:
>>Unformatted:
GR> _______________________________________________
GR> freebsd-bugs at freebsd.org mailing list
GR> http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
GR> To unsubscribe, send any mail to
GR> "freebsd-bugs-unsubscribe at freebsd.org"
--
Ñ óâàæåíèåì,
Êîíüêîâ mailto:kes-kes at yandex.ru
More information about the freebsd-ipfw
mailing list