From owner-freebsd-questions@FreeBSD.ORG Mon Aug 9 03:27:15 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FA3B16A4CE for ; Mon, 9 Aug 2004 03:27:15 +0000 (GMT) Received: from rwcrmhc13.comcast.net (rwcrmhc13.comcast.net [204.127.198.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id 89AD043D39 for ; Mon, 9 Aug 2004 03:27:15 +0000 (GMT) (envelope-from mailist@whoweb.com) Received: from h000092a708fc.ne.client2.attbi.com ([24.131.157.19]) by comcast.net (rwcrmhc13) with SMTP id <2004080903271401500nqq7ne>; Mon, 9 Aug 2004 03:27:14 +0000 From: mailist@whoweb.com To: "Eric Crist" , Date: Sun, 8 Aug 2004 23:28:21 -0400 User-Agent: KMail/1.5.4 References: <006701c47d97$5e6f6970$6401a8c0@Nomad> In-Reply-To: <006701c47d97$5e6f6970$6401a8c0@Nomad> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200408082328.21281.mailist@whoweb.com> Subject: Re: IPFW/NATD Transparent Proxy X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 Aug 2004 03:27:15 -0000 de0 = 1.2.3.4 (make up any valid public ip) (mydomain.com) de1 = 192.168.1.1 de2 = 192.168.2.1 When 192.168.1.247 requests a web page from MYDOMAIN.COM the request needs to be forwarded to 192.168.2.250:80 In the ruleset below, 15100 is required for this to work. If I pull out 15100 I get no response from the web page because there is no rule to allow 1.2.3.4 back out to 192.168.1.247. I can't find a solution that does not require an explicit rule to allow 1.2.3.4 back out to 192.168.1.247. In other words, I can't find a set of rules that allows dynamic setup of 192.168.1.247:???? <-> 1.2.3.4:80 192.168.1.247:???? <-> 192.168.2.250:80 I hope this information helps. Thanks in advance for pointing me in the right direction. IPFW RULES ================================== 00100 divert 9000 log ip from any to any 00200 allow log ip from any to any out via de0 keep-state 00300 skipto 15000 log ip from any to any via de1 00400 skipto 20000 log ip from any to any via de2 00500 deny log ip from any to any 15000 allow log ip from any to any in via de1 keep-state 15100 allow log ip from any to any out via de1 15200 deny log ip from any to any 20000 allow log ip from any to any in via de2 keep-state 20100 allow log ip from any to any dst-port 80 out via de2 keep-state 20200 deny log ip from any to any 20300 deny log ip from any to any NATD Config File (/etc/natd.conf) redirect_port tcp 192.168.2.250:80 1.2.3.4:80 NATD Command /sbin/natd -dynamic -n de0 -p 9000 -f /etc/natd.conf On Sunday 08 August 2004 06:30 pm, Eric Crist wrote: > > -----Original Message----- > > From: owner-freebsd-questions@freebsd.org > > [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of > > mailist@whoweb.com > > Sent: Sunday, August 08, 2004 5:43 PM > > To: freebsd-questions@freebsd.org > > Subject: Re: IPFW/NATD Transparent Proxy > > > > On Sunday 08 August 2004 04:38 pm, JJB wrote: > > > A new rewrite of the FreeBSD handbook firewall section is currently > > > being made ready for update to the handbook. You can get an > > > > in-process > > > > > copy from www.a1poweruser.com/FBSD_firewall/ > > > > The firewall rewrite only deals with a single public nic and > > a single internal nic and does not have the information I require. > > > > > From what you posted looks like you want public internet users to > > > access web server on one of your LAN machines. Both ipfw > > > > and ipfilter > > > > > does this normally with port redirect. > > > > No, I want a user on 192.168.1.247 to be redirected to > > 192.168.2.250:80 when > > they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number > > on the FreeBSD > > internet gateway. Again, the configuration is > > de0 = PUBLIC IP = 1.2.3.4 > > de1 = 192.168.1.1 > > de2 = 192.168.2.1 > > > > I don't have a problem with incoming requests for 1.2.3.4:80 > > from the Internet > > being redirected to 192.168.2.250. That works fine. But I > > want someone on > > 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when > > they request the > > public address 1.2.3.4:80. > > Could you send us (or me, peronally) your firewall script, and the > address you want to use? > > Thanks. > > Eric F Crist