From owner-freebsd-ipfw@FreeBSD.ORG Mon Jun 5 11:03:00 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C52C16A4F4 for ; Mon, 5 Jun 2006 11:03:00 +0000 (UTC) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04B1543D49 for ; Mon, 5 Jun 2006 11:03:00 +0000 (GMT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k55B2xmd010246 for ; Mon, 5 Jun 2006 11:02:59 GMT (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k55B2wlo010242 for freebsd-ipfw@freebsd.org; Mon, 5 Jun 2006 11:02:58 GMT (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 5 Jun 2006 11:02:58 GMT Message-Id: <200606051102.k55B2wlo010242@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: freebsd-ipfw@FreeBSD.org Cc: Subject: Current problem reports assigned to you X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jun 2006 11:03:00 -0000 Current FreeBSD problem reports Critical problems Serious problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- o [2003/04/22] kern/51274 ipfw [ipfw] [patch] ipfw2 create dynamic rules f [2003/04/24] kern/51341 ipfw [ipfw] [patch] ipfw rule 'deny icmp from o [2004/11/13] kern/73910 ipfw [ipfw] serious bug on forwarding of packe o [2004/11/19] kern/74104 ipfw [ipfw] ipfw2/1 conflict not detected or r o [2005/03/13] conf/78762 ipfw [ipfw] [patch] /etc/rc.d/ipfw should exce o [2005/05/11] bin/80913 ipfw [patch] /sbin/ipfw2 silently discards MAC o [2005/11/08] kern/88659 ipfw [modules] ipfw and ip6fw do not work prop o [2006/02/13] kern/93300 ipfw ipfw pipe lost packets o [2006/03/29] kern/95084 ipfw [ipfw] [patch] IPFW2 ignores "recv/xmit/v o [2006/05/31] kern/98184 ipfw [ipfw] ipfw add pass 224.0.0.0/4 multicas 10 problems total. Non-critical problems S Submitted Tracker Resp. Description ------------------------------------------------------------------------------- a [2001/04/13] kern/26534 ipfw [ipfw] Add an option to ipfw to log gid/u o [2002/12/10] kern/46159 ipfw [ipfw] [patch] ipfw dynamic rules lifetim o [2003/02/11] kern/48172 ipfw [ipfw] [patch] ipfw does not log size and o [2003/03/10] kern/49086 ipfw [ipfw] [patch] Make ipfw2 log to differen o [2003/04/09] bin/50749 ipfw [ipfw] [patch] ipfw2 incorrectly parses p o [2003/08/26] kern/55984 ipfw [ipfw] [patch] time based firewalling sup o [2003/12/30] kern/60719 ipfw [ipfw] Headerless fragments generate cryp o [2004/08/03] kern/69963 ipfw [ipfw] install_state warning about alread o [2004/09/04] kern/71366 ipfw [ipfw] "ipfw fwd" sometimes rewrites dest o [2004/10/22] kern/72987 ipfw [ipfw] ipfw/dummynet pipe/queue 'queue [B o [2004/10/29] kern/73276 ipfw [ipfw] [patch] ipfw2 vulnerability (parse o [2005/03/13] bin/78785 ipfw [ipfw] [patch] ipfw verbosity locks machi o [2005/05/05] kern/80642 ipfw [ipfw] [patch] ipfw small patch - new RUL o [2005/06/28] kern/82724 ipfw [ipfw] [patch] Add setnexthop and default o [2005/10/05] kern/86957 ipfw [ipfw] [patch] ipfw mac logging o [2005/10/07] kern/87032 ipfw [ipfw] [patch] ipfw ioctl interface imple o [2006/01/16] kern/91847 ipfw [ipfw] ipfw with vlanX as the device o [2006/02/16] kern/93422 ipfw ipfw divert rule no longer works in 6.0 ( o [2006/03/31] bin/95146 ipfw [ipfw][patch]ipfw -p option handler is bo o [2006/05/13] bin/97194 ipfw [patch] [ipfw] ipfw does not correctly li 20 problems total. From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 6 13:07:00 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F33516ABB1; Tue, 6 Jun 2006 13:07:00 +0000 (UTC) (envelope-from unixtools@hotmail.com) Received: from hotmail.com (bay106-f4.bay106.hotmail.com [65.54.161.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADA3243D46; Tue, 6 Jun 2006 13:06:59 +0000 (GMT) (envelope-from unixtools@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 6 Jun 2006 06:06:58 -0700 Message-ID: Received: from 65.54.161.200 by by106fd.bay106.hotmail.msn.com with HTTP; Tue, 06 Jun 2006 13:06:55 GMT X-Originating-IP: [203.199.109.161] X-Originating-Email: [unixtools@hotmail.com] X-Sender: unixtools@hotmail.com From: "Sunil Sunder Raj" To: freebsd-ipfw@freebsd.org Date: Tue, 06 Jun 2006 13:06:55 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 06 Jun 2006 13:06:58.0919 (UTC) FILETIME=[18057F70:01C6896A] Cc: freebsd-security@freebsd.org Subject: Need help on ipfw IDS support. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2006 13:07:03 -0000 Hi, Is it possible to integrate SNORT with IPFW. I have an entire network behind an IPFW BRIDGE. Just need IDS capability enabled for the network. Just an hint is enough. Any other way I can achieve this in IPFW. -Sunil Sunder Raj From owner-freebsd-ipfw@FreeBSD.ORG Tue Jun 6 18:11:25 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 88F4E16C297 for ; Tue, 6 Jun 2006 18:11:18 +0000 (UTC) (envelope-from leonardo@procergs.rs.gov.br) Received: from madison.procergs.com.br (madison.procergs.com.br [200.198.128.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D38543D4C for ; Tue, 6 Jun 2006 18:11:05 +0000 (GMT) (envelope-from leonardo@procergs.rs.gov.br) Received: from [172.28.5.117] (unknown [172.28.5.117]) by madison.procergs.com.br (Postfix) with ESMTP id 6150683274 for ; Tue, 6 Jun 2006 11:56:30 -0300 (BRT) Message-ID: <44859794.5070308@procergs.rs.gov.br> Date: Tue, 06 Jun 2006 11:56:20 -0300 From: Leonardo Reginin User-Agent: Mozilla Thunderbird 1.0.7 (X11/20060210) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-ipfw References: In-Reply-To: Content-Type: multipart/mixed; boundary="------------030607060102010800080604" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: Need help on ipfw IDS support. X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2006 18:11:32 -0000 This is a multi-part message in MIME format. --------------030607060102010800080604 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Sunil. Have a look at snort_inline - http://freebsd.rogness.net/snort_inline/ Cheers Sunil Sunder Raj wrote: > Hi, > > Is it possible to integrate SNORT with IPFW. I have an entire network > behind an IPFW BRIDGE. Just need IDS capability enabled for the > network. Just an hint is enough. Any other way I can achieve this in > IPFW. > > -Sunil Sunder Raj > > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > --------------030607060102010800080604-- From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 8 01:37:32 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A004F16A94C for ; Wed, 7 Jun 2006 23:17:13 +0000 (UTC) (envelope-from mufalani@oi.com.br) Received: from smtp2.oi.com.br (smtp2.oi.com.br [200.222.115.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3038E43D46 for ; Wed, 7 Jun 2006 23:17:12 +0000 (GMT) (envelope-from mufalani@oi.com.br) Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp2.oi.com.br (Postfix) with ESMTP id 899AB7003724 for ; Wed, 7 Jun 2006 20:17:12 -0300 (BRT) Received: from smtp2.oi.com.br (localhost.localdomain [127.0.0.1]) by smtp2.oi.com.br (WCVirscan) with SMTP id 00004c9a44875e78 ; Wed, 07 Jun 2006 20:17:12 -0300 Received: from cristian2aebca (unknown [200.165.55.214]) by smtp2.oi.com.br (Postfix) with SMTP id 34E6D7003599 for ; Wed, 7 Jun 2006 20:17:12 -0300 (BRT) Message-ID: <004101c68a88$7ecd58d0$0101a8c0@cristian2aebca> From: "mufalani" To: Date: Wed, 7 Jun 2006 20:17:07 -0300 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2670 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: ipfw + nat X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 01:37:43 -0000 Hi all, I have a webserver runing apache 2.3 under windows 2003, and one BSD = 5.4 (gateway).=20 How to redirect requisitions at 80=B4s port (200.X.X.X:80) to address = (192.x.x.x:80) with nat and ipfw? Att, Rodrigo Mufalani =20 From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 8 06:16:52 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AD3A16AC99 for ; Thu, 8 Jun 2006 03:43:44 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4377B43D45 for ; Thu, 8 Jun 2006 03:43:44 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id A23D15D3A; Wed, 7 Jun 2006 23:43:43 -0400 (EDT) X-Virus-Scanned: amavisd-new at codefab.com Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ARpp3LH+3Pwb; Wed, 7 Jun 2006 23:43:43 -0400 (EDT) Received: from [192.168.1.251] (pool-68-160-201-170.ny325.east.verizon.net [68.160.201.170]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id C03165C98; Wed, 7 Jun 2006 23:43:42 -0400 (EDT) Message-ID: <44879CE5.1000201@mac.com> Date: Wed, 07 Jun 2006 23:43:33 -0400 From: Chuck Swiger User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: mufalani References: <004101c68a88$7ecd58d0$0101a8c0@cristian2aebca> In-Reply-To: <004101c68a88$7ecd58d0$0101a8c0@cristian2aebca> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + nat X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 06:16:52 -0000 mufalani wrote: > Hi all, > > I have a webserver runing apache 2.3 under windows 2003, and one BSD 5.4 (gateway). > > How to redirect requisitions at 80īs port (200.X.X.X:80) to address (192.x.x.x:80) with nat and ipfw? echo "redirect_port tcp 192.x.x.x:80 80" >> /etc/natd.conf See "man natd" for details and variants like redirect_address. -- -Chuck From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 8 07:15:07 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8152F16A9E8 for ; Thu, 8 Jun 2006 04:40:37 +0000 (UTC) (envelope-from bu7cher@yandex.ru) Received: from smtp1.yandex.ru (smtp1.yandex.ru [213.180.223.87]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C1CE43D70 for ; Thu, 8 Jun 2006 04:40:36 +0000 (GMT) (envelope-from bu7cher@yandex.ru) Received: from proxy.kirov.so-cdu.ru ([81.18.142.226]:14041 "EHLO [127.0.0.1]" smtp-auth: "bu7cher" TLS-CIPHER: TLS-PEER-CN1: ) by mail.yandex.ru with ESMTP id S2078314AbWFHEk0 (ORCPT ); Thu, 8 Jun 2006 08:40:26 +0400 Message-ID: <4487AA39.70308@yandex.ru> Date: Thu, 08 Jun 2006 08:40:25 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla Thunderbird 1.5 (FreeBSD/20051231) MIME-Version: 1.0 To: mufalani References: <004101c68a88$7ecd58d0$0101a8c0@cristian2aebca> In-Reply-To: <004101c68a88$7ecd58d0$0101a8c0@cristian2aebca> Content-Type: text/plain; charset=US-ASCII; format=flowed Content-Transfer-Encoding: 7BIT Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + nat X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 07:15:18 -0000 mufalani wrote: > How to redirect requisitions at 80?s port (200.X.X.X:80) > to address (192.x.x.x:80) with nat and ipfw? You can try following: # natd -alias_address 200.X.X.X -redirect_port tcp 192.x.x.x:80 80 # ipfw add divert natd tcp from any to 200.X.X.X in recv $ExtIf # ipfw add divert natd tcp from 192.x.x.x 80 to any out xmit $ExtIf $ExtIf - external interface. -- WBR, Andrey V. Elsukov From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 8 09:06:52 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D18216EBCD for ; Thu, 8 Jun 2006 06:51:53 +0000 (UTC) (envelope-from henke.andersen@gmail.com) Received: from nz-out-0102.google.com (nz-out-0102.google.com [64.233.162.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A8EA43D49 for ; Thu, 8 Jun 2006 06:51:52 +0000 (GMT) (envelope-from henke.andersen@gmail.com) Received: by nz-out-0102.google.com with SMTP id 13so353770nzn for ; Wed, 07 Jun 2006 23:51:52 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=afD2Qfv4wHpTe4J7plkNjrCpS00se0o6RQAYaRHdKFPemcu2NC3KSUW8c07pqGRejkH11KugptWAEQR+kzRs1gTFFPCCsZNS2HzW/IFdF+uAP3gaUb4glYQCMLux6sjVdV2PfIeIHSNtVLWplsa5CXI5OrpNmZmCawmvSvSKogE= Received: by 10.64.150.20 with SMTP id x20mr1415472qbd; Wed, 07 Jun 2006 23:51:52 -0700 (PDT) Received: by 10.65.192.9 with HTTP; Wed, 7 Jun 2006 23:51:52 -0700 (PDT) Message-ID: <3a108bac0606072351g67d83c4aqa077a207905f1fbf@mail.gmail.com> Date: Thu, 8 Jun 2006 08:51:52 +0200 From: "Henrik Andersen" To: mufalani In-Reply-To: <004101c68a88$7ecd58d0$0101a8c0@cristian2aebca> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <004101c68a88$7ecd58d0$0101a8c0@cristian2aebca> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + nat X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 09:06:59 -0000 Hi Mufalani, http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.ht= ml and in particular the part 26.6.5.7 should explain how to accomplish this. Regards, Henrik On 6/8/06, mufalani wrote: > Hi all, > > I have a webserver runing apache 2.3 under windows 2003, and one BSD = 5.4 (gateway). > > How to redirect requisitions at 80=B4s port (200.X.X.X:80) to address (19= 2.x.x.x:80) with nat and ipfw? > > > Att, > Rodrigo Mufalani > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 8 09:14:12 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C631F16B677 for ; Thu, 8 Jun 2006 07:11:42 +0000 (UTC) (envelope-from ipfw@theflow.se) Received: from mxfep03.bredband.com (mxfep03.bredband.com [195.54.107.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD9A443D46 for ; Thu, 8 Jun 2006 07:11:40 +0000 (GMT) (envelope-from ipfw@theflow.se) Received: from theflow.se ([83.227.229.8] [83.227.229.8]) by mxfep01.bredband.com with SMTP id <20060608070942.KWKA14117.mxfep01.bredband.com@theflow.se> for ; Thu, 8 Jun 2006 09:09:42 +0200 Received: (qmail 35105 invoked by uid 1009); 8 Jun 2006 07:10:07 -0000 Received: from localhost (HELO mail.theflow.se) (127.0.0.1) by theflow.se with SMTP; 8 Jun 2006 07:10:07 -0000 Received: from 212.112.184.254 (SquirrelMail authenticated user jerker@theflow.se); by mail.theflow.se with HTTP; Thu, 8 Jun 2006 09:10:07 +0200 (CEST) Message-ID: <15820.212.112.184.254.1149750607.squirrel@212.112.184.254> In-Reply-To: <004101c68a88$7ecd58d0$0101a8c0@cristian2aebca> References: <004101c68a88$7ecd58d0$0101a8c0@cristian2aebca> Date: Thu, 8 Jun 2006 09:10:07 +0200 (CEST) From: "Erik" To: "mufalani" User-Agent: SquirrelMail/1.5.0 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 Importance: Normal Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + nat X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 09:14:19 -0000 > Hi all, > > I have a webserver runing apache 2.3 under windows 2003, and one BSD 5.4 (gateway). > > How to redirect requisitions at 80īs port (200.X.X.X:80) to address (192.x.x.x:80) with nat and ipfw? > Pretty simple if you are using natd. In /etc/rc.conf: ### Firewall Settings ### firewall_enable="YES" ipdivert_enable="YES" gateway_enable="YES" firewall_type="MYOWN" natd_enable="YES" natd_interface="xl0" (replace with your external interface) natd_flags="-f /etc/rc.natd" ######################### In /etc/rc.natd: # # NATD configurationfile that supplies NATD whit parameters # log no use_sockets yes same_ports yes # Ports redirected to the internal network redirect_port tcp 192.168.0.100:22 222 redirect_port tcp 192.168.0.111:80 80 ^ redirecting ^ obvious ^ external port ^ type of traffic ^ internal port In the /etc/rc.firewall: divert 8668 ip from any to any via xl0 (will be your external interface) This is all there is to it (put in a simple way...) Regards /Erik > > Att, > Rodrigo Mufalani > > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 8 09:43:31 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C3C0716EE32 for ; Thu, 8 Jun 2006 07:45:49 +0000 (UTC) (envelope-from nick@nickwithers.com) Received: from mail.nickwithers.com (mail.manrags.com [203.219.206.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id D03C343D5A for ; Thu, 8 Jun 2006 07:45:48 +0000 (GMT) (envelope-from nick@nickwithers.com) Received: from localhost (shmick.shmon.net [10.0.0.252]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.nickwithers.com (Postfix) with ESMTP id 13B3F3AAA8; Thu, 8 Jun 2006 17:45:41 +1000 (EST) Date: Thu, 8 Jun 2006 17:45:40 +1000 From: Nick Withers To: "mufalani" Message-Id: <20060608174540.f9f84d62.nick@nickwithers.com> In-Reply-To: <004101c68a88$7ecd58d0$0101a8c0@cristian2aebca> References: <004101c68a88$7ecd58d0$0101a8c0@cristian2aebca> Organization: nickwithers.com X-Mailer: Sylpheed version 2.2.5 (GTK+ 2.8.18; i386-portbld-freebsd6.1) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-nickwithers-MailScanner: Found to be clean X-nickwithers-MailScanner-From: nick@nickwithers.com Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw + nat X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 09:43:43 -0000 On Wed, 7 Jun 2006 20:17:07 -0300 "mufalani" wrote: > Hi all, >=20 > I have a webserver runing apache 2.3 under windows 2003, and one BSD = 5.4 (gateway).=20 >=20 > How to redirect requisitions at 80=B4s port (200.X.X.X:80) to address (19= 2.x.x.x:80) with nat and ipfw? Assuming you're running both already, simply adding the following line (with the appropriate IP addresses, of course) to your natd configuration should do the trick: redirect_port tcp 192.x.x.x:80 200.X.X.X:80 Otherwise, I'd recommend reading the FreeBSD Handbook sections on this (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipfw.h= tml and http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html, for instance). > Att, > Rodrigo Mufalani =20 > =20 > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" This probably belongs on freebsd-questions, by the way... --=20 Nick Withers email: nick@nickwithers.com Web: http://www.nickwithers.com Mobile: +61 414 397 446 From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 8 12:03:17 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EEB816AF8B for ; Thu, 8 Jun 2006 10:20:56 +0000 (UTC) (envelope-from jhay@meraka.csir.co.za) Received: from zibbi.meraka.csir.co.za (zibbi.meraka.csir.co.za [146.64.24.58]) by mx1.FreeBSD.org (Postfix) with ESMTP id BDDC843D5E for ; Thu, 8 Jun 2006 10:20:51 +0000 (GMT) (envelope-from jhay@meraka.csir.co.za) Received: by zibbi.meraka.csir.co.za (Postfix, from userid 3973) id 0E80233C93; Thu, 8 Jun 2006 12:20:45 +0200 (SAST) Date: Thu, 8 Jun 2006 12:20:45 +0200 From: John Hay To: freebsd-ipfw@freebsd.org Message-ID: <20060608102044.GA31577@zibbi.meraka.csir.co.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: Unknown Extension Header(103) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 12:03:21 -0000 Hi, I have tried to upgrade our firewall/router from 5.3 to 6.1-stable and ran into these messages: IPFW2: IPV6 - Unknown Extension Header(103), ext_hd=0 There were so many that the machine got stuck. It turns out that ipfw did not like the pim multicast packets on ipv6. I think I have fixed the problem for now with the patch below. Is my patch acceptable? Can I commit it? One thing that bothers me a bit is the printf in the default case that is not rate limitted and you are not able to switch it off via a sysctl or something. Should it stay like that? The message is also a bit misleading I think. John -- John Hay -- John.Hay@meraka.csir.co.za / jhay@FreeBSD.org Index: ip_fw2.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_fw2.c,v retrieving revision 1.106.2.13 diff -u -r1.106.2.13 ip_fw2.c --- ip_fw2.c 2 Jun 2006 04:02:06 -0000 1.106.2.13 +++ ip_fw2.c 8 Jun 2006 09:12:09 -0000 @@ -71,6 +71,7 @@ #include #include #include +#include #include #include #include @@ -2274,6 +2275,11 @@ PULLUP_TO(hlen, ulp, struct ip6_ext); break; + case IPPROTO_PIM: + /* XXX PIM header check? */ + PULLUP_TO(hlen, ulp, struct pim); + break; + default: printf("IPFW2: IPV6 - Unknown Extension " "Header(%d), ext_hd=%x\n", proto, ext_hd); From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 8 15:39:32 2006 Return-Path: X-Original-To: freebsd-ipfw@freebsd.org Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40A0D16DCAD for ; Thu, 8 Jun 2006 14:15:03 +0000 (UTC) (envelope-from patzlaff@via-rs.net) Received: from madison.procergs.com.br (madison.procergs.com.br [200.198.128.71]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7495243D8F for ; Thu, 8 Jun 2006 14:14:53 +0000 (GMT) (envelope-from patzlaff@via-rs.net) Received: from [172.28.7.94] (unknown [172.28.7.94]) by madison.procergs.com.br (Postfix) with ESMTP id 889CB7F568 for ; Thu, 8 Jun 2006 11:15:03 -0300 (BRT) Message-ID: <448830DA.8080003@via-rs.net> Date: Thu, 08 Jun 2006 11:14:50 -0300 From: Fernando Patzlaff User-Agent: Thunderbird 1.5.0.2 (X11/20060522) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: (no subject) X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 15:39:40 -0000 From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 8 21:30:40 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD3FD16CE43; Thu, 8 Jun 2006 17:21:41 +0000 (UTC) (envelope-from oleg@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1C8F43D45; Thu, 8 Jun 2006 17:21:40 +0000 (GMT) (envelope-from oleg@FreeBSD.org) Received: from freefall.freebsd.org (oleg@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k58HLeJc054516; Thu, 8 Jun 2006 17:21:40 GMT (envelope-from oleg@freefall.freebsd.org) Received: (from oleg@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k58HLeop054512; Thu, 8 Jun 2006 17:21:40 GMT (envelope-from oleg) Date: Thu, 8 Jun 2006 17:21:40 GMT From: Oleg Bulyzhin Message-Id: <200606081721.k58HLeop054512@freefall.freebsd.org> To: martin@email.aon.at, oleg@FreeBSD.org, freebsd-ipfw@FreeBSD.org Cc: Subject: Re: bin/97194: [patch] [ipfw] ipfw does not correctly list dynamic IPv6 rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 21:30:40 -0000 Synopsis: [patch] [ipfw] ipfw does not correctly list dynamic IPv6 rules State-Changed-From-To: open->closed State-Changed-By: oleg State-Changed-When: Thu Jun 8 17:20:44 UTC 2006 State-Changed-Why: Closed in favour of bin/98349 http://www.freebsd.org/cgi/query-pr.cgi?pr=97194 From owner-freebsd-ipfw@FreeBSD.ORG Thu Jun 8 21:54:42 2006 Return-Path: X-Original-To: freebsd-ipfw@hub.freebsd.org Delivered-To: freebsd-ipfw@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5287D16AE81; Thu, 8 Jun 2006 21:54:42 +0000 (UTC) (envelope-from oleg@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C7B8E43D6D; Thu, 8 Jun 2006 21:54:39 +0000 (GMT) (envelope-from oleg@FreeBSD.org) Received: from freefall.freebsd.org (oleg@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k58KjSeE067533; Thu, 8 Jun 2006 20:45:28 GMT (envelope-from oleg@freefall.freebsd.org) Received: (from oleg@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k58KjSEW067529; Thu, 8 Jun 2006 20:45:28 GMT (envelope-from oleg) Date: Thu, 8 Jun 2006 20:45:28 GMT From: Oleg Bulyzhin Message-Id: <200606082045.k58KjSEW067529@freefall.freebsd.org> To: oleg@FreeBSD.org, freebsd-ipfw@FreeBSD.org, oleg@FreeBSD.org Cc: Subject: Re: kern/98184: [ipfw] ipfw add pass 224.0.0.0/4 multicast rule prevents natd forwarding for dynamic rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Jun 2006 21:54:42 -0000 Synopsis: [ipfw] ipfw add pass 224.0.0.0/4 multicast rule prevents natd forwarding for dynamic rules Responsible-Changed-From-To: freebsd-ipfw->oleg Responsible-Changed-By: oleg Responsible-Changed-When: Thu Jun 8 20:45:05 UTC 2006 Responsible-Changed-Why: take over. http://www.freebsd.org/cgi/query-pr.cgi?pr=98184