IPFW ipfw fwd out needs at least fake default route to work

Hello, All!

FreeBSD 10.3-RELEASE-p7 r304924M
VM under hyperv
simple ipfw rules

Code:
00100 allow ip from any to any via lo0
00200  deny ip from any to 127.0.0.0/8
00300  deny ip from 127.0.0.0/8 to any
00400  deny ip from any to ::1
00500  deny ip from ::1 to any
00600  allow ipv6-icmp from :: to ff02::/16
00700  allow ipv6-icmp from fe80::/10 to fe80::/10
00800  allow ipv6-icmp from fe80::/10 to ff02::/16
00900  allow ipv6-icmp from any to any ip6 icmp6types 1
01000  allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
02000  fwd 192.168.1.1 ip from 192.168.1.254 to not 192.168.1.0/24
65000 allow ip from any to any
65535      0        0 deny ip from any to any
hn0: inet 192.168.1.254/24 (connected to wan via 192.168.1.1 router)
hn1: inet 192.168.2.2/24 status: no carrier

#route delete default
Code:
# ping -S 192.168.1.254 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.1.254: 56 data bytes
ping: sendto: No route to host
Then I add fake route (via not used interface):
Code:
# route add default 192.168.2.3
add net default: gateway 192.168.2.3

and fwd rule begin to works
Code:
#ping -S 192.168.1.254 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.1.254: 56 data bytes
64 bytes from 8.8.8.8: icmp_seq=0 ttl=48 time=41.725 ms
Is it right behavior? It seems like I can't push packet to any interface if I haven't default route.
I made some experiments: add out, out xmit hn0 without positive result.
 
A firewall is not a router. Where stuff eventually gets routed to depends on the routing tables, not the firewall. The reason it probably works with a "fake" gateway is because it's sending a bunch of ICMP redirects, directing it to the proper gateway.
 
Back
Top