Re: forwarding http requests with ipfw

At 09:07 PM 12/30/2005, Robert Collins wrote:
I've got a situation where I've got an internal host using a private ip/domainname. Let's say for the sake of this discussion the host is privatehost.internal.freebsd.org. privatehost isn't running a webserver. But I would like machines on the internal.freebsd.org network to query privatehost as if it was. When one of these machines queries privatehost I would like privatehost to forward those requests to my webserver, www.freebsd.org, so that it can handle the request. In order to accomplish that I have done the following:

My kernel was compiled with these options:
options         IPFIREWALL
options         IPFIREWALL_FORWARD
options         IPFIREWALL_FORWARD_EXTENDED


"ipfw list" looks like this:
00100 allow ip from any to any via lo0
00110 deny ip from any to 127.0.0.0/8
00120 deny ip from 127.0.0.0/8 to any
10000 fwd 216.136.204.117 tcp from any to me dst-port 80
65000 allow ip from any to any
65535 deny ip from any to any

The problem I am having is that it seems the packets never leave privatehost. tcpdump shows packets coming in destined for port 80. "ipfw show" shows that packets are matching my rule, but tcpdump never shows any packets going out to 216.136.204.117. tcpdump on 216.136.204.117 also shows that no packets are being recieved. I did a tcpdump on lo0 just for kicks, and that didn't show anything. It seems as if the packets are just disappearing. Someone on #freebsdhelp suggested doing a "sysctl -w net.inet.ip.forwarding=1" but that didn't help the situation. Is there something minor I'm missing here...or am I totally off in my understanding of how "ipfw fwd" works? 

To quote the ipfw man page:

"The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them."

You probably need to re-think what you are trying to do.

-Glenn


Thanks
-rcollins
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"


_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"

Relevant Pages

  • Re: forwarding http requests with ipfw
    ... But I would like machines on the internal.freebsd.org network to query privatehost as if it was. ... When one of these machines queries privatehost I would like privatehost to forward those requests to my webserver, www.freebsd.org, so that it can handle the request. ... The problem I am having is that it seems the packets never leave privatehost. ... "ipfw show" shows that packets are matching my rule, but tcpdump never shows any packets going out to 216.136.204.117. ...
    (freebsd-questions)
  • Re: forwarding http requests with ipfw
    ... But I would like machines on the internal.freebsd.org network to query privatehost as if it was. ... When one of these machines queries privatehost I would like privatehost to forward those requests to my webserver, www.freebsd.org, so that it can handle the request. ... The problem I am having is that it seems the packets never leave privatehost. ... "ipfw show" shows that packets are matching my rule, but tcpdump never shows any packets going out to 216.136.204.117. ...
    (freebsd-questions)
  • Re: forwarding http requests with ipfw
    ... But I would like machines on the internal.freebsd.org network to query privatehost as if it was. ... When one of these machines queries privatehost I would like privatehost to forward those requests to my webserver, www.freebsd.org, so that it can handle the request. ... The problem I am having is that it seems the packets never leave privatehost. ... "ipfw show" shows that packets are matching my rule, but tcpdump never shows any packets going out to 216.136.204.117. ...
    (freebsd-questions)
  • Re: forwarding http requests with ipfw
    ... But I would like machines on the internal.freebsd.org network to query privatehost as if it was. ... When one of these machines queries privatehost I would like privatehost to forward those requests to my webserver, www.freebsd.org, so that it can handle the request. ... The problem I am having is that it seems the packets never leave privatehost. ... "ipfw show" shows that packets are matching my rule, but tcpdump never shows any packets going out to 216.136.204.117. ...
    (freebsd-questions)
  • Re: ntpd fails to synchronize on FreeBSD 6.3-STABLE
    ... 12 packets received by filter ... Then let the tcpdump go for about 15 minutes. ... Firewall on my router/gateway is disabled, ... # shutdown -r now ...
    (freebsd-stable)