Date: Wed, 22 Mar 2006 01:07:11 +0000 From: John Murphy <sub02@freeode.co.uk> To: freebsd-questions@freebsd.org Subject: Re: ipfilter & nat redirect Message-ID: <548122hg7q2toe5461jpo9t8bua72uq9oj@4ax.com> In-Reply-To: <MIEPLLIBMLEEABPDBIEGOEMOHCAA.fbsd_user@a1poweruser.com> References: <MIEPLLIBMLEEABPDBIEGOEMOHCAA.fbsd_user@a1poweruser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"fbsd_user" <fbsd_user@a1poweruser.com> wrote: >I have a web server on my private lan that I want >to be accessible from the public internet. > >dc0 is the interface facing the public internet > >I added this rdr rule after the map rules at the end of my nat file. > > rdr dc0 0/0 port 80 -> 10.0.10.4 port 8080 > >also tried this rule > > rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.4 port 8080 I have 'tcpudp' after the port in my rdr rules, but see below. >My understanding of the documentation says the above rdr rule means, > >check all packets inbound on interface dc0, and >no matter what the sending ip address of the packet may be, >if the port number of the destination ip address of that packet >matches port 80, >then re-write the packet's destination ip address and port to >10.0.10.4 port 8080 and create the internal nat table to >handle the translation of the outbound packets coming from >10.0.10.4. >Then hand the re-written packet to the firewall to be processed >against the firewall rules. > >My ipfilter firewall rules would need a pass rule like this > >pass in log quick on dc0 proto tcp from any to 10.0.10.4 port = 8080 >flags S keep state I think the filter action occurs before NAT so you would need this: pass in log quick on dc0 proto tcp from any to <your live IP> port = 80 -- John.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?548122hg7q2toe5461jpo9t8bua72uq9oj>