Bug 239590 - ipfw rule doesn't forward TCP connections made through the host's LAN address
Summary: ipfw rule doesn't forward TCP connections made through the host's LAN address
Status: Closed Not A Bug
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 12.0-STABLE
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-ipfw (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-08-02 04:54 UTC by Yuri Victorovich
Modified: 2019-08-26 12:55 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yuri Victorovich freebsd_committer freebsd_triage 2019-08-02 04:54:14 UTC 
I need to forward incoming TCP connections made to my host 192.168.5.3 on the port 3100 to the IP address 10.0.0.101 port 3000 connected through another interface.

These rules work when connection is made from a remote host:
> ipfw -q nat 19001 config redirect_port tcp 10.0.0.101:3000 192.168.5.3:3100
> ipfw -q add 19001 nat 19001 tcp from any to 192.168.5.3 3100 in recv sk0
> ipfw -q add 19001 nat 19001 tcp from 10.0.0.101 3000 to any out xmit sk0

The problem:
A similar firewall rule for connections from the host's LAN IP address (that pass through lo0) doesn't work:
> ipfw -q add 19001 nat 19001 tcp from 192.168.5.3 to 192.168.5.3 3100 in recv lo0

Wireshark shows that the incoming connection is from 192.168.5.3 to 192.168.5.3 on 3100 but it gets immediately rejected instead of being forwarded.
This rule looks very similar to the second rule above, just the interface is different. Why doesn't it work?
Comment 1 Eugene Grosbein freebsd_committer freebsd_triage 2019-08-26 12:55:33 UTC 
Please use mailing lists or web forums for general discussion. Default ipfw ruleset matches loopback traffic with rule 100, so it cannot be matched using later rules.