Date: Thu, 19 Jul 2001 00:58:49 +0100 From: Richard Smith <rdls@satamatics.com> To: Thomas David Rivers <rivers@dignus.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipfw & fwd? (and natd?) Message-ID: <20010719005849.A1937@gaia.home.rdls.net> In-Reply-To: <200107171200.f6HC0cB40770@lakes.dignus.com>; from rivers@dignus.com on Tue, Jul 17, 2001 at 08:00:38AM -0400 References: <200107171200.f6HC0cB40770@lakes.dignus.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jul 17, 2001 at 08:00:38AM -0400, Thomas David Rivers wrote: > > I've been trying to redirect a certain port number to a telnet > port on another network... > > It's been pointed out that natd won't do that for me; because > of the "other" network issue (although, perhaps it should, hard > to say.) When the `other network' is an external network perhaps, but your redirecting to an internal network within your 10/8 address space. > Here's the set up: > > xl0 is the "outside" interface. > x1l is the "inside" interface (10.0.0.x) network > tun0 is the VPN interface to the other (10.1.0.x) network. > > I'd like to redirect incoming tcp/up connections on port 5000 via xl0 > to a telnet connection on a machine in the 10.1.0.x network. I just did a similar thing: using an ssh/ppp constructed vpn, and adding "-redirect_port tcp 10.1.0.x:23 5000" to natd_flags. The only thing that threw me at first was that the other end of the tunnel needs to set their default route pointing back into the tunnel. > So - some of us were thinking that perhaps natd, in combination > with ipfw fwd would work... making a "phantom" IP address on the > 10.0.0.x network. Then, natd can redirect to the "phantom" IP > address, which will be forwarded to the remote one. > > To get specific, the remote machine is 10.1.0.11; the "phantom" IP > address is 10.0.0.11. > > At this point, I'm just trying to get ipfw fwd to work... so, that > ping/telnet/etc.. to 10.0.0.11 are forwarded to 10.1.0.11. > > Here's my ipfw rules: > > 00050 divert 8668 ip from any to any via xl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 06400 fwd 10.1.0.11 ip from any to 10.0.0.11 > 06401 fwd 10.1.0.11 ip from 10.0.0.11 to any > 65000 allow ip from any to any > 65535 allow ip from any to any This is clearly wrong, you're asking ipfw to send both forward and return packets to the same address. I don't think `ipfw fwd' re-writes the packet so its not much use to you here. I'd stick with natd, it does work. Rich. -- Richard Smith Network Systems Director Satamatics Ltd Green Lane, Tewkesbury, GL20 8HD, United Kingdom Tel: +44 1684 278610 Fax: +44 1684 278611 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010719005849.A1937>