From dima@unixfreak.org  Mon Feb  5 16:53:22 2001
Return-Path: <dima@unixfreak.org>
Received: from bazooka.unixfreak.org (bazooka.unixfreak.org [63.198.170.138])
	by hub.freebsd.org (Postfix) with ESMTP id F39CD37B491
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  5 Feb 2001 16:53:21 -0800 (PST)
Received: from hornet.unixfreak.org (hornet [63.198.170.140])
	by bazooka.unixfreak.org (Postfix) with ESMTP
	id 94E303E09; Mon,  5 Feb 2001 16:53:21 -0800 (PST)
Received: (from dima@localhost)
	by hornet.unixfreak.org (8.11.1/8.11.1) id f160rLl18271;
	Mon, 5 Feb 2001 16:53:21 -0800 (PST)
	(envelope-from dima)
Message-Id: <200102060053.f160rLl18271@hornet.unixfreak.org>
Date: Mon, 5 Feb 2001 16:53:21 -0800 (PST)
From: dima@unixfreak.org
Reply-To: dima@unixfreak.org
To: FreeBSD-gnats-submit@freebsd.org
Cc: cjclark@alum.mit.edu
Subject: [PATCH] New FAQ entry about inappropriate use of ipfw(8) 'fwd' rules
X-Send-Pr-Version: 3.2

>Number:         24888
>Category:       docs
>Synopsis:       [PATCH] New FAQ entry about inappropriate use of ipfw(8) 'fwd' rules
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    dd
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 05 17:00:02 PST 2001
>Closed-Date:    Mon Mar 12 17:27:08 PST 2001
>Last-Modified:  Mon Mar 12 17:27:18 PST 2001
>Originator:     Dima Dorfman
>Release:        FreeBSD 4.2-20010102-STABLE i386
>Organization:
Private
>Environment:

Not relevant.

>Description:

Users new to the ipfw(8) interface often attempt to use ``fwd'' rules
when they should be using NAT; they mistakenly think that ipfw(8) will
rewrite destination of the forwarded packet, when it fact it does not.
This FAQ entry attempts to explain why their rules don't work as
expected.

>How-To-Repeat:

Read -questions.

>Fix:

Apply the following patch to doc/en_US.ISO_8859-1/books/faq/book.sgml.

The actual text was written by Crist J. Clark <cjclark@alum.mit.edu>.
Please credit him in the commit log.

Index: book.sgml
===================================================================
RCS file: /st/src/FreeBSD/doc/en_US.ISO_8859-1/books/faq/book.sgml,v
retrieving revision 1.142
diff -u -r1.142 book.sgml
--- book.sgml	2001/02/02 03:16:45	1.142
+++ book.sgml	2001/02/06 00:44:07
@@ -8179,6 +8238,41 @@
               </listitem>
             </itemizedlist></para>
 
+        </answer>
+      </qandaentry>
+
+      <qandaentry>
+        <question id="ipfw-fwd">
+          <para>Why is my &man.ipfw.8; <quote>fwd</quote> rule to redirect a
+            service to another machine not working?</para>
+        </question>
+
+        <answer>
+          <para>Possibly because you want to do network address translation
+            (NAT) and not just forward packets.  A <quote>fwd</quote> rule
+            does exactly what it says; it forwards packets.  It does not
+            actually change the data inside the packet.  Say we have a rule
+            like:</para>
+
+          <screen>01000 fwd <replaceable>10.0.0.1</replaceable> from any to <replaceable>foo 21</replaceable></screen>
+
+          <para>When a packet with a destination address of
+            <replaceable>foo</replaceable> arrives at the machine with this
+            rule, the packet is forwarded to
+            <replaceable>10.0.0.1</replaceable>, but it still has the
+            destination address of <replaceable>foo</replaceable>!  The
+            destination address of the packet is <emphasis>not</emphasis>
+            changed to <replaceable>10.0.0.1</replaceable>.  Most machines
+            would probably drop a packet that they receive with a
+            destination address that is not their own.  Therefore, using a
+            <quote>fwd</quote> rule does not often work the way the user
+            expects.  This behavior is a feature and not a bug.</para>
+
+          <para>See the <link linkend="service-redirect">FAQ about
+            redirecting services</link>, the &man.natd.8; manual, or one of
+            the several port redirecting utilities in the <ulink
+            url="../ports/">ports collection</ulink> for a correct way to do
+            this.</para>
         </answer>
       </qandaentry>
 



>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-doc->dd 
Responsible-Changed-By: dd 
Responsible-Changed-When: Sun Mar 11 14:00:05 PST 2001 
Responsible-Changed-Why:  
My PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=24888 
State-Changed-From-To: open->closed 
State-Changed-By: dd 
State-Changed-When: Mon Mar 12 17:27:08 PST 2001 
State-Changed-Why:  
Patch committed. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=24888 
>Unformatted:
