From owner-freebsd-questions  Thu Jul 16 12:45:15 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA02330
          for freebsd-questions-outgoing; Thu, 16 Jul 1998 12:45:15 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA02319
          for <freebsd-questions@freefall.cdrom.com>; Thu, 16 Jul 1998 12:45:13 -0700 (PDT)
          (envelope-from dwhite@resnet.uoregon.edu)
Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32])
	by freefall.freebsd.org (8.8.8/8.8.5) with ESMTP id MAA11983
	for <freebsd-questions@freefall.cdrom.com>; Thu, 16 Jul 1998 12:44:11 -0700 (PDT)
Received: from localhost (dwhite@localhost)
          by resnet.uoregon.edu (8.8.5/8.8.8) with SMTP id MAA19215;
          Thu, 16 Jul 1998 12:44:43 -0700 (PDT)
          (envelope-from dwhite@resnet.uoregon.edu)
Date: Thu, 16 Jul 1998 12:44:42 -0700 (PDT)
From: Doug White <dwhite@resnet.uoregon.edu>
To: Thomas David Rivers <rivers@dignus.com>
cc: freebsd-questions@freefall.cdrom.com, rivers@lakes.dignus.com
Subject: Re: ipfw rules for exposing an internal machine's port externally?
In-Reply-To: <199807160217.WAA23663@lakes.dignus.com>
Message-ID: <Pine.BSF.4.00.9807161241410.17022-100000@resnet.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, 15 Jul 1998, Thomas David Rivers wrote:

> 
> I thought I should be able to do this; but it doesn't
> seem to work well.  Perhaps someone knows what I've got wrong here.
> 
> What I have is a machine "X" which is on the external network
> and through which I divert all internal traffic on the 10.0.0.x
> network via ipfw/natd, as in:
> 
>   ipfw add 100 divert 32000 ip from any to any via sl0
> 
> 
> However, I have an internal machine (10.0.0.10) that's set up
> to do telnet connections on a different port (e.g. port #PPPP in 
> the following example.)
> 
> I would like to make those connections available externally.
> 
> So - I've got added:
> 
>    ipfw add 50 pass log tcp from any PPPP to 10.0.0.10 PPPP
>    ipfw add 50 pass log udp from any PPPP to 10.0.0.10 PPPP\

You can't do this since natd already munged the packets. For all intents
and purposes natd is a complete firewall.  

What you want to do is use natd's redirect_port feature to map the port(s)
you want from the 10.0.0.10 host onto port(s) on the natd host.  See the
natd man page for details.

Besides, you just overwote the first rule 50, for tcp, with the
replacement rule 50, for udp.  The rule numbers must be unique unless
you're replacing the rule.

Doug White                              | University of Oregon  
Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
http://gladstone.uoregon.edu/~dwhite    | Computer Science Major


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message