From owner-freebsd-questions Sat Jan 15 17:45: 7 2000 Delivered-To: freebsd-questions@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 6103714EFE for ; Sat, 15 Jan 2000 17:44:55 -0800 (PST) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id UAA53586; Sat, 15 Jan 2000 20:49:22 -0500 (EST) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <200001160149.UAA53586@cc942873-a.ewndsr1.nj.home.com> Subject: Re: natd and ipfw redirection In-Reply-To: <00011413030805.01757@smithers.nerdpower.org> from Jeff Lush at "Jan 14, 2000 12:19:39 pm" To: jeff@nerdpower.com (Jeff Lush) Date: Sat, 15 Jan 2000 20:49:22 -0500 (EST) Cc: freebsd-questions@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Jeff Lush wrote, > Hello, > > I am using FreeBSD to setup a firewall with nat. Essentially, what I would like > to do is have nat translate from private to public IPs, use ipfw for > firewall rules and allow for IP redirection into the LAN for some services such > as SMTP. > > So far, I have nat working and have firewall rules setup accordingly to block > unwanted incoming traffic. Where my difficulties arise are with (I believe) > ipfw. Here's my setup: > > In the rc.conf, I have setup an IP bound to de0 and an alias IP for SMTP > traffic: > ifconfig_de0="inet 139.142.250.29 netmask 255.255.255.192" > ifconfig_de0_alias0="inet 139.142.250.39 netmask 255.255.255.255" > ifconfig_de1="inet 192.168.1.1 netmask 255.255.255.0" Not sure why you need an extra IP number for the SMTP traffic, but OK. > In the rc.firewall I have these rules relating to redirection: > add 100 ipfw add divert natd all from any to any via de0 # Pass everything to > natd > > Further down the ruleset I then have: > ipfw add 7000 allow tcp from any to any 25 in via 139.142.250.39 setup # Allow > tcp traffic in on port 25 from 139.142.250.39 That's an odd rule. You do realize that it passes _all_ SMTP traffic that comes in from the outside world, right? > I then start natd with: > natd -redirect_port tcp 192.168.1.2:25 139.142.250.39:25 I hope you really mean, # natd -n de0 -u -redirect_port tcp 192.168.1.2:25 139.142.250.39:25 > In my opinion, this appears to be correct, but obviously it is not. I feel the > problem is in the firewall rules. I compiled the kernel with 'option > IPFIREWALL_FORWARD', but I'm not sure how it will work with nat. The rule I > have in mind is: > ipfw add 200 fwd 192.168.1.2 all from de0 to de1 That is not what you want to do. > My thinking is this is what natd is supposed to do. > > I know something is missing, I just don't know what. Any help that can be > offered would be very much appreciated. I can include more from my conf files > if necessary. I'd offer more help, but you never actually told us what was or was not working. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message