ipfw fwd sends to port but also through gateway

Adonis Peralta donileo at gmail.com
Wed May 25 18:03:35 UTC 2016 

Hi all,

I am noticing something weird in regards to ipfw forwarding when I am attempting to set up squid web proxying. 

Here is the info:

ipfw rule: ipfw -q add fwd 127.0.0.1,8080 tcp from 192.168.1.0/24{1-5,7-254} to any dst-port 80 in via igb0 //I exclude the servers ip 192.168.1.6 here to prevent a loop
Squid Proxy: running on localhost (127.0.0.1) port 8080.
Freebsd box ip: 192.168.1.6
Router box: 192.168.1.1

Essentially when any ip (not my freebsd ip) makes a request to port 80 my router will route that ip using policy based routing to my freebsd box. Then the ipfw fwd rule above sends that traffic over to my squid proxy port. This is working fine and the fwd rule above does definitely match.
However the issue Im seeing is that ipfw fwd not only sends the packet out to the squid proxy but ALSO sends it out to the original destination causing all sorts of issues for my client because it messes up the tcp flow/handshaking.

To be more clear what I see is when client 192.168.1.3 makes a request on port 80… my freebsd box receives it.. then forwards it to squid but also sends it out to the original destination so for every packet coming to port 80 i see two going out..

To debug this problem a bit further I stopped squid, and setup "nc -l 8080" to catch incoming requests via the fwd.

Doing a tcpdump I see:

192.168.1.3.57653 > s3-us-west-1.amazonaws.com.http: Flags [S], cksum 0x9385 (correct), seq 1939422713, win 65535, options [mss 1460,nop,wscale 5,nop,nop,TS val 1149232947 ecr 0,sackOK,eol], length 0
13:14:16.209753 IP (tos 0x0, ttl 64, id 10951, offset 0, flags [DF], proto TCP (6), length 60)
    s3-us-west-1.amazonaws.com.http > 192.168.1.3.57653: Flags [S.], cksum 0xe4da (incorrect -> 0x8343), seq 3934654233, ack 1939422714, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1794161828 ecr 1149232947], length 0

Netcat catches the HTTP Get request (i can see it in netcats console).. but the above tcpdump definitely tells me that the request was also sent to to aws itself this is implied by the fact that aws responded back to original ip (192.168.1.3).

When I have squid running I see the same thing in the above tcpdump but also communication between my freebsd box ip 192.168.1.6 and the requested http site.

 Why is this happening? Is this a bug?

-Adonis

More information about the freebsd-ipfw mailing list