Date: Wed, 08 Dec 1999 09:32:43 +0100 (CET) From: Martin Welk <mw@freibergnet.de> To: Roelof Osinga <roelof@nisser.com> Cc: FreeBSD Stable <freebsd-stable@FreeBSD.ORG> Subject: RE: ifpw forwarding problem Message-ID: <XFMail.991208093243.mw@freibergnet.de> In-Reply-To: <384DE84E.8285191E@nisser.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear Roelof,
on 08-Dec-99 Roelof Osinga wrote:
() natd is running with -same_ports -use_sockets on ep1
This seems to be right.
() The command I'm issuing is:
()
() ipfw add 2000 fwd 10.0.0.3,80 tcp from any to 10.0.0.55 8080 in via ep0
()
() Though accepted it will not redirect. The 10.0.0.3:80 does answer
() when queried directly:
()
() nisser:/root/bin$ telnet 10.0.0.55 8080
() Trying 10.0.0.55...
() telnet: Unable to connect to remote host: Connection refused
()
() nisser:~# ipfw list
() 00100 divert 8668 ip from any to any via ep1
() 00100 allow ip from any to any via lo0
() 00200 deny ip from any to 127.0.0.0/8
() 01000 deny tcp from any to any 23,143,110,79,111 in recv ep1
() 01000 deny tcp from any to any 5800,5801,5802,5900,5901,5902 in recv ep1
() 02000 fwd 10.0.0.3,80 tcp from any to 10.0.0.55 8080 in recv ep0
() 65000 allow ip from any to any
() 65535 deny ip from any to any
Your problem is, that forwarding packets by rules to other hosts is not
the same as forwarding packets to hosts through a NAT environment. Look
at the natd man page, search for the redirect options mentioned there.
In my case, there's a FreeBSD machine doing NAT here. It has two IP
addresses on the outer world interface, but this shouldn't be a
significant difference.
I have a file named natd.conf that's loaded on startup doing a
"natd -f natd.conf" - you may put it somewhere in the file system
where you like it and use the absolute path, I've chosen /etc.
use_sockets
same_ports
port 8668
deny_incoming no
alias_address aaa.aaa.aaa.aaa
redirect_port tcp bbb.bbb.bbb.bbb:5900 aaa.aaa.aaa.aaa:5900
In this case, the port 5900 (which is by default used for a first VNC
session) is redirected to an interal Windows box that can be accessed
this way.
aaa.aaa.aaa.aaa is the external network address of the router,
bbb.bbb.bbb.bbb the internal host (192.168...)
You need to do that this way in a NAT'ed environment because someone
has to change the IP addresses as they are needed to make it work
properly.
For the ipfw setup, a directive like
divert 8668 all from any to any
allow ip from any to any
will do the job, allthough all packets pass natd this way.
But if it works in this case, you have now a good starting point to
do more :-)
No RTFM intended, but I found the following man pages very helpful when
I started with ipfw/natd and so on: divert(4), dummynet(4), ipfw(8),
ipfirewall(4). Although dummynet has to do with bandwidth limiting
and delaying (this is integrated into the IPFW functionality), it gives
some further information that helps to understand how packets pass
through the firewall.
Regards,
Martin
--
FreibergNet Systemhaus GbR Martin Welk * Sales, Support
Systemhaus für Daten- und Netzwerktechnik phone +49 3731 781387
Unternehmensgruppe Liebscher & Partner fax +49 3731 781377
D-09599 Freiberg * Am St. Niclas Schacht 13 http://www.freibergnet.de/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.991208093243.mw>