Date: Wed, 13 Mar 2002 13:55:09 -0800 (PST) From: Dennis Holmes <dholmes@liberator.dyndns.org> To: alan@quay.net (Alan McKay) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: ipfw/pppoe/nat trouble Message-ID: <200203132155.NAA90713@star-one.liberator.dyndns.org> In-Reply-To: <20020313163949.11A2B5D4A@victory.quay.net> from Alan McKay at "Mar 13, 2002 11:39:48 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Look what Alan McKay wrote:
>
> So should I give up on PPP's native NAT and switch to NATD?
> Anyone know what could be up here?
>
> thanks,
> -Alan
>
>
> Folks,
>
> I'm using FreeBSD 4.5 RELEASE for my firewall, and using it's native ppp
> to manage my PPPoE connection. When doing this, one uses ppp's native
> NAT, and not natd.
>
> I have a web cam running on port 80 of a private PC at home, and want to
> forward that out to some obscure port on the firewall. Let's just say for
> the sake of argument port 4711.
>
> My firewall (ipfw) rules include :
> allow tcp from any to <my-external-IP> 4711 setup
>
> I have the same rule on port 80 for the apache server running on the
> firewall, and it works. The above rulle I have right beside my port 80
> rule in the this. However, when I try to hit port 4711 from outside,
> and do a "ipfw show", it drops right through that rule to about 5 rules
> below where I deny all connections from outside (after allowing the few
> that I want to allow).
>
> So I never get to try to see if my NAT rules are correct. In my
> /etc/ppp/ppp.conf file I have (among other things) :
>
> nat enable yes
> nat log yes
> nat target MYADDR
> nat port tcp <private-ip-of-webcam-PC>:80 4711
>
> Any ideas why my firewall rule is not allowing the 4711 connection?
> I'm stumped!
>
> Are there any good examples of using PPPoE's NAT in combo with ipfw
> to port-forward to something on the private side?
>
> cheers,
> -Alan
Things can get a little tricky with both ipfw and NAT in the picture.
One of the easiest ways to determine what rules you need is to enable
logging on your "deny" rules in ipfw (add the "log" keyword to the
rules in rc.firewall as shown in the ipfw man page) so that you can
see exactly what ipfw is blocking (on the console or /var/log/messages).
You probably need to add a rule allowing connections to port 4711 on
the private IP where the webcam resides. It sounds strange, but after
NAT the packet looks like a connection from an outside address to your
private address, so that's how ipfw treats it.
+----------------+-------------------+------------------------------------+
| Dennis Holmes | dholmes@rahul.net | "We demand rigidly defined |
| San Jose, CA +-------------------+ areas of doubt and uncertainty!" |
+------=>{ Meanwhile, as Ford said: "Where are my potato chips?" }<=------+
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200203132155.NAA90713>