Date: Fri, 9 Mar 2001 18:53:07 +0800 From: "jett tayer" <webby@bsdi.dhs.org> To: "Andrew Hesford" <ajh3@chmod.ath.cx>, "Pablo Bendersky" <pbendersky@itineri.com> Cc: <freebsd-questions@freebsd.org> Subject: Re: Problem setting up NAT Message-ID: <018f01c0a887$21636fb0$1e4bb0cb@martian> References: <JPEAKMLHKPBJHAEBDFIEAECOCCAA.pbendersky@itineri.com> <20010309023946.A19665@cec.wustl.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
suppose i have a windows workstation inside the firewall machine, and i want to host a netmeeting session, what ipaddress will i tell my peers to call? and irc and windows media services are supported? thanks jett tayer ----- Original Message ----- From: "Andrew Hesford" <ajh3@chmod.ath.cx> To: "Pablo Bendersky" <pbendersky@itineri.com> Cc: <freebsd-questions@freebsd.org> Sent: Friday, March 09, 2001 4:39 PM Subject: Re: Problem setting up NAT > Below you will find a copy of my ipfw ruleset. I have one external IP > connected via ed0, and an internal address on dc0. The internal address > connects to my hub, and handles nat. Incoming requests from the outside > world on ports 22, 25, and 80 are forwarded to a machine inside. Check > to make sure your rules are similar. > > For natd, I run `natd -redirect_port tcp 192.168.1.5:22 22 > -redirect_port tcp 192.168.1.5:25 25 -redirect_port tcp 192.168.1.5:80 > 80 -interface ed0`. > > Also, a word of advice. I've always found keep-state and check-state > easier to manage than established and setup... in particular, keep-state > and check-state apply to all protocols. My ruleset allows anything to go > out and come back, but nothing comes in except ssh, smtp, and sendmail > (try to ping chmod.ath.cx if you don't believe me). > > Also, if you are going to setup all tcp connections and allow the other > protocols, it would be easier to drop the last three rules you've added > and replace them with: > > allow ip from any to any > > Now for my rules: > > 00100 deny ip from 192.168.1.0/24 to any in recv ed0 > 00200 deny ip from 24.217.0.0/16 to any in recv dc0 > 00300 deny ip from any to 10.0.0.0/8 via ed0 > 00400 deny ip from any to 172.16.0.0/12 via ed0 > 00500 deny ip from any to 192.168.0.0/16 via ed0 > 00600 deny ip from any to 0.0.0.0/8 via ed0 > 00700 deny ip from any to 168.254.0.0/16 via ed0 > 00800 deny ip from any to 192.0.2.0/24 via ed0 > 00900 deny ip from any to 224.0.0.0/4 via ed0 > 01000 deny ip from any to 240.0.0.0/4 via ed0 > 01100 divert 8668 ip from any to any via ed0 > 01200 deny ip from any to 10.0.0.0/8 via ed0 > 01300 deny ip from any to 172.16.0.0/12 via ed0 > 01400 deny ip from any to 0.0.0.0/8 via ed0 > 01500 deny ip from any to 168.254.0.0/16 via ed0 > 01600 deny ip from any to 192.0.2.0/24 via ed0 > 01700 deny ip from any to 224.0.0.0/4 via ed0 > 01800 deny ip from any to 240.0.0.0/4 via ed0 > 01900 check-state > 02000 allow ip from any to any frag > 02100 allow tcp from any to 24.217.0.0/16 80 keep-state > 02200 allow tcp from any to 24.217.0.0/16 22 keep-state > 02300 allow tcp from any to 24.217.0.0/16 25 keep-state > 02400 allow tcp from any to 192.168.1.5 80 keep-state > 02500 allow tcp from any to 192.168.1.5 22 keep-state > 02600 allow tcp from any to 192.168.1.5 25 keep-state > 02700 unreach host tcp from any to any 113 keep-state in recv ed0 > 02800 deny ip from any to any in recv ed0 > 02900 allow ip from any to any keep-state > 65535 deny ip from any to any > > On Thu, Mar 08, 2001 at 12:07:00PM -0300, Pablo Bendersky wrote: > > > Now, I wanted to make use of a external IP address I have, so I added > > it as an alias to xl1. It works ok, and I can ping it from everywhere. > > I then tried to make nat forward telnet service (Which, by the way is not > > running on this machine) to one of our local machines. > > For that, I tried with: > > /sbin/natd -redirect_port tcp 192.168.0.4:23 <alias_ip>:23 -n xl1 > > > > After that, I was still able to ping the alias IP, and everything, but not > > able to telnet the localhost. (Which I can telnet from any computer on the > > local network) > -- > Andrew Hesford > ajh3@chmod.ath.cx > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?018f01c0a887$21636fb0$1e4bb0cb>