Date: Wed, 6 Aug 2003 09:55:56 +0100 From: Philip Payne <philip.payne@uk.mci.com> To: Brian McCann <bjm1287@ritvax.isc.rit.edu>, questions@freebsd.org Subject: RE: NATD & Port Forwarding Problems Message-ID: <36D04A8168B2D41182250008C7E6F8780484F69B@ukcamexch2.cbg.uk.corp.eu.uu.net>
next in thread | raw e-mail | index | archive | help
Hi,
> Hi all...I'm at a dead end here. I'm trying to setup my firewall/nat
> box to forward requests on externalIP:portA to
> internalPC:portB. I put
> 'natd_flags="-redirect_port tcp 1internalPC:portB portA" ' in
> my rc.conf
> file, and I have the following three statements in my rc.firewall
> script:
> ipfw add divert 8668 all from any to any via $EXTERNAL_INTERFACE
> ipfw add pass all from $LOCALNET_1 to any via $EXTERNAL_INTERFACE out
> ipfw add pass all from any to $LOCALNET_1 via $EXTERNAL_INTERFACE in
>
Hmmm.... my first thought is the line:
ipfw add pass all from $LOCALNET_1 to any via $EXTERNAL_INTERFACE out
... wouldn't the outgoing internal packets be going via an internal
interface first?... are they allowed out properly somewhere else in your
rulebase?
If that's not it, my suggestion would be to temporarily switch on logging
against those two pass rules for the internal host, any deny rules you have
and if you don't have one already, a generic logging deny all as a final
rule.
These logs should tell you whether any traffic is being blocked and give an
indication as to whether the nat is working properly.
If your site is too busy to grab that much logging then as an alternative
you could switch to a completely open ruleset (with NAT enabled) and this
would allow you to tell whether it's the firewall rulebase or not.
Phil.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36D04A8168B2D41182250008C7E6F8780484F69B>