rdr not working for transparent http - 5.4-stable
Abu Khaled
khaled.abu at gmail.com
Sun Jul 31 06:18:46 GMT 2005
On 7/31/05, Giovanni P. Tirloni <gpt at tirloni.org> wrote:
> Abu Khaled wrote:
> > On 7/30/05, Giovanni P. Tirloni <gpt at tirloni.org> wrote:
> >
> >>Giovanni P. Tirloni wrote:
> >>
> >>>Max Laier wrote:
> >>>
> >>>
> >>>>One thing comes to my mind: What does
> >>>> $sysctl net.inet.ip.forwarding
> >>>>say?
> >>>
> >>>
> >>># sysctl net.inet.ip.forwarding
> >>>net.inet.ip.forwarding: 1
> >>>
> >>>I had some tweaks in /etc/sysctl but disabling them didn't help either.
> >>>
> >>>#net.inet.ip.check_interface=1
> >>>#net.inet.tcp.blackhole=2
> >>>#net.inet.udp.blackhole=1
> >>>
> >>
> >> I forgot to mention this box had ipfw+dummnyet (with two queues)
> >>activated. I disabled ipfw in the kernel and pf rdr worked again! Just
> >>removing the ipfw rules didn't work.
> >>
> >> Weird enough, I don't have dummynet on the other 2 machines that have
> >>the same problem. But ipfw is compiled in but disabled.
> >>
> >> I'll try to disable ipfw on the other boxes and see what happens there
> >>to confirm this.
> >
> >
> > If ipfw is compiled in the kernel and it defaults to deny all, then
> > you need to add rules for ipfw to allow connections to and from
> > localhost (127.0.0.1 and port 3128). Otherwise ipfw well drop 'pf rdr
> > traffic'.
> >
> > # ipfw add allow tcp from $lan_net to 127.0.0.1 3128
> > # ipfw add allow tcp from 127.0.0.1 3128 to $lan_net
> >
> > Put the rules before any anti spoofing rules in ipfw.
> >
>
> I think there's something in the code that makes it not work because I
> set ipfw to accept by default on every machine I have. There must be
> something else.
>
Sounds confusing !!!
Do you mind providing you ipfw/pf rules and the output of:
# squid -v
# ls -l /dev/pf
Just to have a look at them while I scratch my head (to express the
confused system administrator emotion).
--
Regards.
Abu Khaled
More information about the freebsd-pf
mailing list