site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com to show how the ipfw2 fwd behaviour can be disconcerting (and buggy): on the darwin server with an alias 192.168.202.102 on en1: % netstat -an but this connection does actually correspond to: % w ... root s001 192.168.202.102 21:34 - w that is a connection from itself. % ssh -b 192.168.202.102 88.149.157.x and the firewall rule causing this: Another effect is: even if the system know very well how to get to the next hop: Giuliano _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... ... tcp4 0 0 88.149.157.x.22 192.168.202.x.49206 ESTABLISHED tcp4 0 0 192.168.202.102.49206 88.149.157.128.22 ESTABLISHED ... That is, netstat "thinks" we are connected to a remote machine, but we are really connected to the local machine. The command given was: % ipfw add fwd 192.168.202.110 log src-ip 192.168.202.101,192.168.202.102 not dst-ip 192.9.200.0/24,192.168.202.0/24 via en1 Searching the web I found several posts relating ipfw2 fwd problems, but no solution we can apply. Instead in the man page I found: The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them. For packets forwarded locally, the local address of the socket will be set to the original destination address of the packet. This makes the netstat(1) entry look rather weird but is intended for use with transparent proxy servers. so it seems that my case would be explained if the packet was forwarded locally, but this is not the case as 192.168.202.110 is NOT a local address. % traceroute -s 192.168.202.102 88.149.157.x traceroute to 88.149.157.x (88.149.157.x) from 192.168.202.102, 64 hops max, 40 byte packets 1 localhost (127.0.0.1) 0.786 ms 0.159 ms 0.060 ms # traceroute -s 192.168.202.102 192.168.202.110 traceroute to 192.168.202.110 (192.168.202.110) from 192.168.202.102, 64 hops max, 40 byte packets 1 192.168.202.110 (192.168.202.110) 1.094 ms 0.431 ms 0.396 ms This email sent to site_archiver@lists.apple.com