Date: Mon, 14 Feb 2000 22:13:27 -0500 From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: Brent Kearney <brent@kearneys.ca> Cc: FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: Natd, ipfw, & redirect_port Message-ID: <20000214221327.D41631@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <20000214130326.A6743@kearneys.ca>; from brent@kearneys.ca on Mon, Feb 14, 2000 at 01:03:26PM -0800 References: <20000214130326.A6743@kearneys.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Feb 14, 2000 at 01:03:26PM -0800, Brent Kearney wrote:
>
> I know this is covered by previous posts, but the archive is still
> not back up, and I can't wait any longer.
>
> I'm running FreeBSD 3.4 on an x86, with NATd & two NICs. I'm trying
> to forward all connections to a particular port on the outside
> machine, to a particular port on on an inside machine (for ssh). I've
> done this before (under 3.2 I think), and I don't remember it being
> difficult at all. However, it's not working.
>
> Here's my natd rc.conf line:
>
> natd_flags="-n pn0 -m -log_denied -f /etc/natd.conf"
>
> And my natd.conf:
>
> redirect_port tcp Plato:22 2200
> redirect_port udp Plato:22 2200
>
> One difference between my old setup (3.2) and the new one, is that now
> I have default_to_accept disabled, so my firewall rules are quite a
> bit tighter. However, because one of the first rules passes all IP
> traffic to natd, do I need anything else?
>
> I tried this, to no avail, anyways (from rc.firewall):
>
> Allow connections to port 2200 for ssh access to Plato
> $fwcmd add pass tcp from any to any 2200 setup
> $fwcmd add pass udp from any to any 2200
>
> Any connection attempts to port 2200 just sit there. I know the
> problem is not on the internal machine (Plato), because computers on
> the LAN have no problem connecting with ssh to it.
Could we see all of the rules ('ipfw list' output)? However, I might
guess what is going on.
You said that the natd(8) divert(4) occurs at one of the first
rules. Then farther down, you have the 2200 rules shown above. But
the packets have already been through NAT. The packet that came in
destined for the NATd box's external IP and port 2200 has a
destination of plato and port 22 by the time it hits this rule. It
will not pass this rule.
--
Crist J. Clark cjclark@home.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000214221327.D41631>