pf: redirect a packet's port but not its address?
Alan Somers
asomers at freebsd.org
Tue Jan 23 21:01:10 UTC 2018
On Tue, Jan 23, 2018 at 11:41 AM, Eugene Grosbein <eugen at grosbein.net>
wrote:
> 24.01.2018 1:26, Alan Somers wrote :
>
> >> # ipfw add fwd ::1,5678 tcp from any to any 4000
> >> # nc -6 -l ::1 5678
> >>
> >> And from another host tried:
> >> # telnet -6 fc00::1 4000
> >>
> >> And this works.
> >>
> >
> > This does not work for me. When I try, tcpdump shows that the host
> running
> > ipfw returns an RST packet when it receives a SYN for port 4000. That
> > sounds like the fwd rule isn't working. And it's probably not working
> > because I'm a total ipfw n00b. Is there anything else I need to
> configure
> > in ipfw first? My rc.conf file looks like:
> >
> > firewall_enable="YES"
> > firewall_type="open"
>
> ipfw rules are always numbered and while ipfw allows you to not specify
> rule number
> when adding, it is wise to always specify it, or else it adds rules to the
> end of the list
> and that is not what you want dealing with pre-defined "open" ruleset.
>
> In short, use "ipfw add 2000 fwd ::1,5678 tcp from any to any 4000"
> Use "ipfw show" to check it out before and after running this command
Thanks. It works now, at least for global addresses. But the fwd rule
does not work for link-local addresses. When I try, the ACK packet gets
dropped because it violates IPv6 scope rules. A custom dtrace probe shows
that ipfw is apparently not setting the embedded scope identifier on the
forwarded packet. The address should be "fe80:2:0:0:215:17ff:fee9:3079"
but it's actually "fe80:0:0:0:215:17ff:fee9:3079". This is similar to the
problems I ran into with pf. In fact, I never did get pf working with
link-local addresses either.
-Alan
More information about the freebsd-net
mailing list