From owner-freebsd-questions@FreeBSD.ORG Wed Mar 22 10:19:45 2006 Return-Path: X-Original-To: freebsd-questions@FreeBSD.ORG Delivered-To: freebsd-questions@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17B9216A41F for ; Wed, 22 Mar 2006 10:19:45 +0000 (UTC) (envelope-from norgaard@locolomo.org) Received: from strange.daemonsecurity.com (59.Red-81-33-11.staticIP.rima-tde.net [81.33.11.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ABB943D46 for ; Wed, 22 Mar 2006 10:19:44 +0000 (GMT) (envelope-from norgaard@locolomo.org) Received: from [172.24.8.84] (generic.atosorigin.es [212.170.156.200]) by strange.daemonsecurity.com (Postfix) with ESMTP id EA8982E041; Wed, 22 Mar 2006 11:19:50 +0100 (CET) Message-ID: <442124BE.9090000@locolomo.org> Date: Wed, 22 Mar 2006 11:19:42 +0100 From: Erik Norgaard User-Agent: Thunderbird 1.5 (X11/20060118) MIME-Version: 1.0 To: fbsd_user@a1poweruser.com References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: "freebsd-questions@FreeBSD. ORG" Subject: Re: ipfilter & nat redirect X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Mar 2006 10:19:45 -0000 fbsd_user wrote: > I have a web server on my private lan that I want > to be accessible from the public internet. > > dc0 is the interface facing the public internet > > I added this rdr rule after the map rules at the end of my nat file. ordering is extremely important, nat rules are first match while filter rules are last match unless you add the quick keyword. So, if you have eg a binat rule, then the rdr never takes place. > rdr dc0 0/0 port 80 -> 10.0.10.4 port 8080 > > also tried this rule > > rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.4 port 8080 seems ok, but you may want to replace the 0/0 with your external ip/32 if it is fixed. > My understanding of the documentation says the above rdr rule means, > > check all packets inbound on interface dc0, and > no matter what the sending ip address of the packet may be, > if the port number of the destination ip address of that packet > matches port 80, > then re-write the packet's destination ip address and port to > 10.0.10.4 port 8080 and create the internal nat table to > handle the translation of the outbound packets coming from > 10.0.10.4. > Then hand the re-written packet to the firewall to be processed > against the firewall rules. > > My ipfilter firewall rules would need a pass rule like this > > pass in log quick on dc0 proto tcp from any to 10.0.10.4 port = 8080 > flags S keep state > > to create the by-directional packet session. > > Problem is I cant get this to work. > I see nothing in the log for the pass rule. > > Anybody have any idea what I am doing wrong > or if my understanding of the re-direct process is in error. When using rdr, the rdr rule is applied _before_ the filtering, so filter rule above seems correct to me. Always, and in particular for debugging, create a rule that catches and logs anything you haven't thought of. Your log only catches successful passes, after that rule, add a log rule like: block in log quick on dc0 this should show you the packets that actually are filtered. Cheers, Erik -- Ph: +34.666334818 web: www.locolomo.org S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt Subject ID: 9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72 Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9