From owner-freebsd-questions@FreeBSD.ORG Mon Feb 28 14:29:17 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E94F16A4CE for ; Mon, 28 Feb 2005 14:29:17 +0000 (GMT) Received: from mail26.sea5.speakeasy.net (mail26.sea5.speakeasy.net [69.17.117.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 20A6F43D5D for ; Mon, 28 Feb 2005 14:29:15 +0000 (GMT) (envelope-from freebsd-questions-local@be-well.ilk.org) Received: (qmail 10885 invoked from network); 28 Feb 2005 14:29:14 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail26.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 28 Feb 2005 14:29:14 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id AF5F74A; Mon, 28 Feb 2005 09:29:13 -0500 (EST) Sender: lowell@be-well.ilk.org To: Deling Ren References: <20050225233650.X66135@sun.home.homeunix.org> From: Lowell Gilbert Date: 28 Feb 2005 09:29:13 -0500 In-Reply-To: <20050225233650.X66135@sun.home.homeunix.org> Message-ID: <44d5ukzrk6.fsf@be-well.ilk.org> Lines: 55 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii cc: freebsd-questions@freebsd.org Subject: Re: Question about ipfw, natd and port forwarding. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-questions@freebsd.org List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Feb 2005 14:29:17 -0000 Deling Ren writes: > Hi all, I am trying to setup a NAT box for my home network on freebsd 5.3. > I am using ipfw and natd. I already got nat running but I am having > problem with port forwarding. I am trying to forward port 80 on the nat > box to an internal machine (192.168.0.7). I have the following as part of > natd_flags: > > -redirect_port tcp 192.168.0.7:80 xx.xx.xx.xx:80 > > where xx.xx.xx.xx is the external IP of the nat box. > > Using the following ipfw rules: > > 00050 divert 8668 ip from any to any via sis0 > 65535 allow ip from any to any > > I have no problem connecting port 80 on the nat box from outside. But as I > added stateful ipfw rules, it stops working. Running nmap from outside > says port 80 is filtered. I am not sure how to configure the rules to > enable port forwarding. Any help will be appreciated. Thanks. > > Deling > > Here are my ipfw rules: > > 00005 allow ip from any to any via $iif > 00010 allow ip from any to any via lo0 > 00014 divert 8668 ip from any to any in via $oif > > 00015 check-state > > 00060 skipto 800 tcp from any to any out via $oif setup keep-state > 00080 skipto 800 icmp from any to any out via $oif keep-state > 00130 skipto 800 udp from any to any out via $oif keep-state > > 00340 allow icmp from any to me in via $oif keep-state > > 00360 allow tcp from any to any dst-port 80 in via $oif setup keep-state > 00380 allow tcp from any to me dst-port 22 in via $oif setup limit > src-addr 5 > > 00400 deny log logamount 5 ip from any to any in via $oif > 00450 deny log logamount 5 ip from any to any out via $oif > > 00800 divert 8668 ip from any to any out via $oif > 00801 allow ip from any to any > 00999 deny log logamount 5 ip from any to any Stateful rules are quite tricky in combination with address rewriting, because the state being saved won't match the packet after it's passed through the rewriting. This rule set seems to handle that by splitting the redirect rule into one for each direction, but I'd still look in that direction for the trouble. Try removing the log limits and seeing what happens when an HTTP packet gets dropped.