From owner-freebsd-questions  Mon Nov  8 17:29: 1 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207])
	by hub.freebsd.org (Postfix) with ESMTP id D93B41523D
	for <freebsd-questions@FreeBSD.ORG>; Mon,  8 Nov 1999 17:28:55 -0800 (PST)
	(envelope-from cjc@cc942873-a.ewndsr1.nj.home.com)
Received: (from cjc@localhost)
	by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id UAA39484;
	Mon, 8 Nov 1999 20:32:21 -0500 (EST)
	(envelope-from cjc)
From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
Message-Id: <199911090132.UAA39484@cc942873-a.ewndsr1.nj.home.com>
Subject: Re: ipfw & forwarding ports....
In-Reply-To: <3.0.3.32.19991107235514.006a0744@pop.interaccess.com> from Ford Prefect at "Nov 7, 1999 11:55:14 pm"
To: fordp@guide.chi.il.us (Ford Prefect)
Date: Mon, 8 Nov 1999 20:32:21 -0500 (EST)
Cc: freebsd-questions@FreeBSD.ORG
Reply-To: cjclark@home.com
X-Mailer: ELM [version 2.4ME+ PL54 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Ford Prefect wrote,
> natd and ipfw have been runing just fine for me until I tried to do the
> following:
> 
> I have my outside interface wich gets its address via DHCP on ed0.
> I have my inside interface set to 192.168.a.b
> 
> and another machine on that same subnet 192.168.a.c
> 
> 
> I need to get port 80 from the outside to 192.168.a.c 80 I've been playing
> with ipfw but nothing seems to work. Perhaps I'm doing somehting stupid...
> 
> Here's what I've tried:
> 
> ipfw add fwd 192.168.a.c,80 from any to any
> ipfw add fwd 192.168.a.c,80 from any to any 80
> ipfw add fwd 192.168.a.c,80 from any to any 80 via out_interface
> ipfw add fwd 192.168.a.c from any to any 80
> ipfw add fwd 192.168.a.c from any to any 80 via out_interface
> 
> I've also used 'ipfw add X fwd ...' to place the entries before and after
> the natd divert and around other rule chinks that could cause a problem.
> 
> I've made sure my old rules weren't conflicting with the new ones while
> testing (by rebooting, or placing them earlier)
> 
> I'm out of ideas so I figured I'd ask you guys :)

Let us review the ipfw(8) manpage,

        "fwd ipaddr [,port] Change the next-hop on matching packets to ipaddr,
                           which can be an IP address in dotted quad or a host
                           name...
                                                            ...If ipaddr is a
                           local address, then on a packet entering the system
                           from a remote host it will be diverted to port on
                           the local machine, keeping the local address of the
                           socket set to the original IP address the packet
                           was destined for."

To reprhase, the original destination IP of the packet IS NOT
CHANGED. Does your webserver on 192.168.a.c know it is supposed to
accept packets with destinions of 192.168.a.b? Probably not.

You are already running a tool that is meant to do this however,
natd(8). See the '-redirect_port' option.
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message