From owner-freebsd-questions@FreeBSD.ORG Wed Aug 6 01:56:04 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D62C37B401 for ; Wed, 6 Aug 2003 01:56:04 -0700 (PDT) Received: from gregale.emea.mci.com (gregale.wcom.co.uk [193.131.254.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 875E443FA3 for ; Wed, 6 Aug 2003 01:56:03 -0700 (PDT) (envelope-from philip.payne@uk.mci.com) Received: from breen ([166.59.191.248] helo=breen.emea.mci.com) by gregale.emea.mci.com with esmtp (Exim 4.12) id 19kK5Q-0000V1-00; Wed, 06 Aug 2003 09:56:00 +0100 Received: from [62.191.1.65] (helo=ukcamgate1.cbg.uk.corp.eu.uu.net) by breen.emea.mci.com with esmtp (Exim 4.14) id 19kK5Q-0006u4-DR; Wed, 06 Aug 2003 08:56:00 +0000 Received: by ukcamgate1.cbg.uk.corp.eu.uu.net with Internet Mail Service (5.5.2653.19) id ; Wed, 6 Aug 2003 09:55:58 +0100 Message-ID: <36D04A8168B2D41182250008C7E6F8780484F69B@ukcamexch2.cbg.uk.corp.eu.uu.net> From: Philip Payne To: Brian McCann , questions@freebsd.org Date: Wed, 6 Aug 2003 09:55:56 +0100 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" X-Spam-Score: -3.2 (---) X-Scanner: exiscan for exim4 (http://duncanthrax.net/exiscan/) *19kK5Q-0000V1-00*80W6chWwVXg* Subject: RE: NATD & Port Forwarding Problems X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2003 08:56:04 -0000 Hi, > Hi all...I'm at a dead end here. I'm trying to setup my firewall/nat > box to forward requests on externalIP:portA to > internalPC:portB. I put > 'natd_flags="-redirect_port tcp 1internalPC:portB portA" ' in > my rc.conf > file, and I have the following three statements in my rc.firewall > script: > ipfw add divert 8668 all from any to any via $EXTERNAL_INTERFACE > ipfw add pass all from $LOCALNET_1 to any via $EXTERNAL_INTERFACE out > ipfw add pass all from any to $LOCALNET_1 via $EXTERNAL_INTERFACE in > Hmmm.... my first thought is the line: ipfw add pass all from $LOCALNET_1 to any via $EXTERNAL_INTERFACE out ... wouldn't the outgoing internal packets be going via an internal interface first?... are they allowed out properly somewhere else in your rulebase? If that's not it, my suggestion would be to temporarily switch on logging against those two pass rules for the internal host, any deny rules you have and if you don't have one already, a generic logging deny all as a final rule. These logs should tell you whether any traffic is being blocked and give an indication as to whether the nat is working properly. If your site is too busy to grab that much logging then as an alternative you could switch to a completely open ruleset (with NAT enabled) and this would allow you to tell whether it's the firewall rulebase or not. Phil.