From owner-freebsd-questions@FreeBSD.ORG Wed Mar 22 01:07:13 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AF1416A41F for ; Wed, 22 Mar 2006 01:07:13 +0000 (UTC) (envelope-from sub02@freeode.co.uk) Received: from mail.freeode.co.uk (freeode.co.uk [213.162.123.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE1FE43D48 for ; Wed, 22 Mar 2006 01:07:12 +0000 (GMT) (envelope-from sub02@freeode.co.uk) Received: from lexx.freeode.co.uk (lexx.freeode.co.uk [10.10.10.2]) by mail.freeode.co.uk (8.13.4/8.13.4) with ESMTP id k2M17BMv033532 for ; Wed, 22 Mar 2006 01:07:11 GMT (envelope-from sub02@freeode.co.uk) From: John Murphy To: freebsd-questions@freebsd.org Date: Wed, 22 Mar 2006 01:07:11 +0000 Message-ID: <548122hg7q2toe5461jpo9t8bua72uq9oj@4ax.com> References: In-Reply-To: X-Mailer: Forte Agent 1.93/32.576 English (American) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: ipfilter & nat redirect X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: sub02@freeode.co.uk List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Mar 2006 01:07:13 -0000 "fbsd_user" wrote: >I have a web server on my private lan that I want >to be accessible from the public internet. > >dc0 is the interface facing the public internet > >I added this rdr rule after the map rules at the end of my nat file. > > rdr dc0 0/0 port 80 -> 10.0.10.4 port 8080 > >also tried this rule > > rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.4 port 8080 I have 'tcpudp' after the port in my rdr rules, but see below. >My understanding of the documentation says the above rdr rule means, > >check all packets inbound on interface dc0, and >no matter what the sending ip address of the packet may be, >if the port number of the destination ip address of that packet >matches port 80, >then re-write the packet's destination ip address and port to >10.0.10.4 port 8080 and create the internal nat table to >handle the translation of the outbound packets coming from >10.0.10.4. >Then hand the re-written packet to the firewall to be processed >against the firewall rules. > >My ipfilter firewall rules would need a pass rule like this > >pass in log quick on dc0 proto tcp from any to 10.0.10.4 port = 8080 >flags S keep state I think the filter action occurs before NAT so you would need this: pass in log quick on dc0 proto tcp from any to port = 80 -- John.