• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: ipfw2 and fwd in Darwin
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipfw2 and fwd in Darwin

  • Subject: Re: ipfw2 and fwd in Darwin
  • From: Giuliano Gavazzi <email@hidden>
  • Date: Mon, 13 Oct 2008 22:07:04 +0200
to show how the ipfw2 fwd behaviour can be disconcerting (and buggy):

on the darwin server with an alias 192.168.202.102 on en1:


% netstat -an

...
tcp4 0 0 88.149.157.x.22 192.168.202.x.49206 ESTABLISHED
tcp4 0 0 192.168.202.102.49206 88.149.157.128.22 ESTABLISHED
...

but this connection does actually correspond to:

% w

...
root     s001     192.168.202.102  21:34       - w

that is a connection from itself.

That is, netstat "thinks" we are connected to a remote machine, but we are really connected to the local machine.
The command given was:

% ssh -b 192.168.202.102 88.149.157.x

and the firewall rule causing this:


% ipfw add fwd 192.168.202.110 log src-ip 192.168.202.101,192.168.202.102 not dst-ip 192.9.200.0/24,192.168.202.0/24 via en1

Searching the web I found several posts relating ipfw2 fwd problems, but no solution we can apply.
Instead in the man page I found:

The fwd action does not change the contents of the packet at all. In particular, the destination address
remains unmodified, so packets forwarded to another system will usually be rejected by that system unless
there is a matching rule on that system to capture them. For packets forwarded locally, the local
address of the socket will be set to the original destination address of the packet. This makes the
netstat(1) entry look rather weird but is intended for use with transparent proxy servers.

so it seems that my case would be explained if the packet was forwarded locally, but this is not the case as 192.168.202.110 is NOT a local address.

Another effect is:

% traceroute -s 192.168.202.102 88.149.157.x
traceroute to 88.149.157.x (88.149.157.x) from 192.168.202.102, 64 hops max, 40 byte packets
1 localhost (127.0.0.1) 0.786 ms 0.159 ms 0.060 ms

even if the system know very well how to get to the next hop:

# traceroute -s 192.168.202.102 192.168.202.110
traceroute to 192.168.202.110 (192.168.202.110) from 192.168.202.102, 64 hops max, 40 byte packets
1 192.168.202.110 (192.168.202.110) 1.094 ms 0.431 ms 0.396 ms


Giuliano
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Solved?: Re: ipfw2 and fwd in Darwin

      • From: Giuliano Gavazzi <email@hidden>
      • 





References: 


 >ipfw2 and fwd in Darwin (From: Giuliano Gavazzi <email@hidden>)






    

  • Prev by Date:
Re: Where to save temporary files?

    • 

  • Next by Date:
Re: Open Source Releases: Mac OS X 10.5.5 and iPhone 2.1

    • 

  • Previous by thread:
ipfw2 and fwd in Darwin

    • 

  • Next by thread:
Solved?: Re: ipfw2 and fwd in Darwin

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •