# The port setting in IPFW fwd rule is not working



## williamy (Jun 4, 2012)

I have three VMs


using IP 192.168.0.12 and running a web server on port 80
using FreeBSD as a gateway (WAN IP is 192.168.0.100, LAN IP is 192.168.1.1)
also running a simple website which is listening port 80 and port 8080, using IP 192.168.1.100.

I can open the website via http://192.168.0.12 because I have added a static route on the first VM, I route the 192.168.1.0 segment back to 192.168.0.100, that means all these three VMs are working properly.

But after I changed the firewall rule. the situation became unclear to me. *N*ow the firewall rule become below:


```
00001    fwd 127.0.0.1,8080 tcp from any to any in
65535    allow ip from any to any
```

But the testing and the result is not reasonable for me.


Test 1, Try to open http://1.1.1.1, it will open port 80 of the gateway.
Test 2, Try to open http://1.1.1.1:80, it will open port 80 of the gateway.
Test 3, Try to open http://1.1.1.1:8080, it will open port 8080 of the gateway.
Test 4, Try to open http://1.1.1.1:123, it will open port 80 of the gateway again!.

Conclusion:

The port in the firewall rule is not working. and I don't understand why it will automatically choose 80. when I am trying to open http://1.1.1.1:123.


----------



## williamy (Jun 5, 2012)

I have reorganized the configuration file of apache, now port 80 is not the default cho*ice* anymore. That means the link http://1.1.1.1:123 is not working anymore, but the port is still not working. According to the manpage of ipfw, the port should be working when the IP is on the same machine!


----------



## anarchy (Jun 16, 2012)

*H*i williamy,

*A*s long as *I* can understand your problem splits _at least_ into two problems.

*I* can guess you have some internet connectivity, but you are confusing IP addresses: 192.168.0.0/16 can't be routed by internet routers! Moreover, 1.1.1.1 is another "bad" address you can just use the "public one" (see RFC1918) that your carrier had provided to you (or better to your router)

*S*uppposing you have one and only one "public address" and that it's bound to your router, you need to interact in the first place with that router, to allow packets from the "outside internet" to reach your network; behind that device it's good practice to have a firewall and IPFW is a good one, but you need to know much more about TCP if you want to control the whole situation.
*L*ook for RFCs about TCP/IP, you can't suppose to treat UDP in the same way as TCP or something else and your IPFW rules _need_ to be built on that knowledge.


----------

