From owner-freebsd-ipfw  Thu Jun 21  8:40:29 2001
Delivered-To: freebsd-ipfw@freebsd.org
Received: from kira.epconline.net (kira2.epconline.net [209.83.132.2])
	by hub.freebsd.org (Postfix) with ESMTP id 1853F37B401
	for <freebsd-ipfw@FreeBSD.ORG>; Thu, 21 Jun 2001 08:40:26 -0700 (PDT)
	(envelope-from carock@epctech.com)
Received: from therock (betterguard.epconline.net [207.206.185.193])
	by kira.epconline.net (8.11.2/8.11.2) with SMTP id f5LFeOX07603
	for <freebsd-ipfw@FreeBSD.ORG>; Thu, 21 Jun 2001 10:40:24 -0500 (CDT)
Reply-To: <carock@epctech.com>
From: "Chuck Rock" <carock@epctech.com>
To: <freebsd-ipfw@FreeBSD.ORG>
Subject: Natd and IPFW ( I think I've asked before with no help)...
Date: Thu, 21 Jun 2001 10:40:23 -0500
Message-ID: <001801c0fa68$7c955c80$1805010a@epconline.net>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Importance: Normal
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-ipfw.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-ipfw>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-ipfw>
X-Loop: FreeBSD.ORG

We are deploying FreeBSD firewalls with NATD running as well.

Problem 1.
We have aliased real IP's on an interface, but natd.cf only lets us forward
ports from the original interface IP, not from the aliased IP's. So we have
to like four network cards and multiple firewalls to accomplish the desired
routing of ports by real IP address to internal private IP's.

Has anyone fixed this, or come up with a better solution?

Problem 2.
We also use Portsentry, and when we forward ports with natd, they forward
BEFORE portsentry can see them. So if we have an internal machine as a mail
server, and forward a real IP to an internal IP for port 25, but we use
portsentry to watch traffic on that real IP, it never sees portscans on IP
because natd never passes the packets that don't match the forwarding to the
level that Portsentry is watching.

Would running natd from rc.local aleviate this? Is that possible?

Thanks for your help,
Chuck Rock
Internet Services Manager
EPC Inc.
http://www.epctech.com
http://www.epconline.com
http://www.pconramp.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message