Firewall redirect doesn't work any more...
Roman Kurakin
rik at inse.ru
Sun Sep 21 21:12:30 UTC 2008
Pawel Jakub Dawidek wrote:
> ...or am I missing something?
>
> I've a box running:
>
> FreeBSD whiplash.wheel.pl 7.0-STABLE FreeBSD 7.0-STABLE #0: Wed Jul 23 11:41:31 CEST 2008 root at puppet.wheel.pl:/usr/obj/usr/src/sys/WHIPLASH i386
>
> I'm also running PF in there with the following rule:
>
> rdr on fxp0 proto tcp from 10.0.1.9 to 10.0.0.2 port 88 -> 10.0.5.123 port 88
>
> When I connect from 10.0.1.9 to 10.0.0.2:88 I can see redirected packet
> leaving the box:
>
> IP 10.0.1.9.43210 > 10.0.0.2.88: S [...]
> IP 10.0.1.9.43210 > 10.0.5.123.88: S [...]
>
> Ok. Now I've a box running:
>
> FreeBSD bridge.wheel.pl 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #1: Thu Sep 11 13:59:06 CEST 2008 root at bridge.wheel.pl:/usr/obj/usr/src/sys/BRIDGE i386
>
> And the following PF rule:
>
> rdr on fxp0 proto tcp from 10.0.0.2 to 10.0.5.123 port 88 -> 10.0.1.9 port 88
>
> When I connect from 10.0.0.2 to 10.0.5.123:88 I no longer see redirected
> packet leaving the box:
>
> IP 10.0.0.2.60806 > 10.0.5.123.88: S [...]
>
> I tried to redirect packet on the second box with IPFW, but also failed
> (yes IPFIREWALL_FORWARD was compiled in).
>
> Does something got broken or am I missing some configuration hint?
>
Could it be that the box you are trying to connect from is the 10.0.0.2?
If this is the case, then the problem is that the rule rdr is works only for
packet which hits the interface from outside, eq interface should be
incoming for packets not outgoing on which the rule is set .
rik
More information about the freebsd-net
mailing list