From owner-freebsd-questions@FreeBSD.ORG Tue Mar 21 18:27:14 2006 Return-Path: X-Original-To: freebsd-questions@FreeBSD.ORG Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D4EAE16A400 for ; Tue, 21 Mar 2006 18:27:14 +0000 (UTC) (envelope-from fbsd_user@a1poweruser.com) Received: from mta11.adelphia.net (mta11.adelphia.net [68.168.78.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B02A43D45 for ; Tue, 21 Mar 2006 18:27:14 +0000 (GMT) (envelope-from fbsd_user@a1poweruser.com) Received: from barbish ([70.39.69.56]) by mta11.adelphia.net (InterMail vM.6.01.05.02 201-2131-123-102-20050715) with SMTP id <20060321182713.WIMN28141.mta11.adelphia.net@barbish> for ; Tue, 21 Mar 2006 13:27:13 -0500 From: "fbsd_user" To: "freebsd-questions@FreeBSD. ORG" Date: Tue, 21 Mar 2006 13:27:07 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0) Importance: Normal X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1478 Cc: Subject: ipfilter & nat redirect X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: fbsd_user@a1poweruser.com List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Mar 2006 18:27:14 -0000 I have a web server on my private lan that I want to be accessible from the public internet. dc0 is the interface facing the public internet I added this rdr rule after the map rules at the end of my nat file. rdr dc0 0/0 port 80 -> 10.0.10.4 port 8080 also tried this rule rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.4 port 8080 My understanding of the documentation says the above rdr rule means, check all packets inbound on interface dc0, and no matter what the sending ip address of the packet may be, if the port number of the destination ip address of that packet matches port 80, then re-write the packet's destination ip address and port to 10.0.10.4 port 8080 and create the internal nat table to handle the translation of the outbound packets coming from 10.0.10.4. Then hand the re-written packet to the firewall to be processed against the firewall rules. My ipfilter firewall rules would need a pass rule like this pass in log quick on dc0 proto tcp from any to 10.0.10.4 port = 8080 flags S keep state to create the by-directional packet session. Problem is I cant get this to work. I see nothing in the log for the pass rule. Anybody have any idea what I am doing wrong or if my understanding of the re-direct process is in error.