Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 15 Jan 2000 20:49:22 -0500 (EST)
From:      "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com>
To:        jeff@nerdpower.com (Jeff Lush)
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: natd and ipfw redirection
Message-ID:  <200001160149.UAA53586@cc942873-a.ewndsr1.nj.home.com>
In-Reply-To: <00011413030805.01757@smithers.nerdpower.org> from Jeff Lush at "Jan 14, 2000 12:19:39 pm"

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Jeff Lush wrote,
> Hello,
> 
> I am using FreeBSD to setup a firewall with nat. Essentially, what I would like
> to do is have nat translate from private to public IPs, use ipfw for
> firewall rules and allow for IP redirection into the LAN for some services such
> as SMTP. 
> 
> So far, I have nat working and have firewall rules setup accordingly to block
> unwanted incoming traffic. Where my difficulties arise are with (I believe)
> ipfw. Here's my setup:
> 
> In the rc.conf, I have setup an IP bound to de0 and an alias IP for SMTP
> traffic:
> ifconfig_de0="inet 139.142.250.29 netmask 255.255.255.192"
> ifconfig_de0_alias0="inet 139.142.250.39 netmask 255.255.255.255"
> ifconfig_de1="inet 192.168.1.1 netmask 255.255.255.0"

Not sure why you need an extra IP number for the SMTP traffic, but
OK.

> In the rc.firewall I have these rules relating to redirection:
> add 100 ipfw add divert natd all from any to any via de0 # Pass everything to
> natd
>
> Further down the ruleset I then have:
> ipfw add 7000 allow tcp from any to any 25 in via 139.142.250.39 setup # Allow
> tcp traffic in on port 25 from 139.142.250.39

That's an odd rule. You do realize that it passes _all_ SMTP traffic
that comes in from the outside world, right?

> I then start natd with: 
> natd -redirect_port tcp 192.168.1.2:25 139.142.250.39:25

I hope you really mean,

    # natd -n de0 -u -redirect_port tcp 192.168.1.2:25 139.142.250.39:25


> In my opinion, this appears to be correct, but obviously it is not. I feel the
> problem is in the firewall rules. I compiled the kernel with 'option
> IPFIREWALL_FORWARD', but I'm not sure how it will work with nat. The rule I
> have in mind is:
> ipfw add 200 fwd 192.168.1.2 all from de0 to de1

That is not what you want to do.

> My thinking is this is what natd is supposed to do.
> 
> I know something is missing, I just don't know what. Any help that can be
> offered would be very much appreciated. I can include more from my conf files
> if necessary.

I'd offer more help, but you never actually told us what was or was
not working.
-- 
Crist J. Clark                           cjclark@home.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?200001160149.UAA53586>