From owner-freebsd-questions@FreeBSD.ORG Tue Jul 12 12:19:27 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 699A51065670 for ; Tue, 12 Jul 2011 12:19:27 +0000 (UTC) (envelope-from btillman99@yahoo.com) Received: from nm2-vm0.bullet.mail.ac4.yahoo.com (nm2-vm0.bullet.mail.ac4.yahoo.com [98.139.52.66]) by mx1.freebsd.org (Postfix) with SMTP id 01B8E8FC16 for ; Tue, 12 Jul 2011 12:19:26 +0000 (UTC) Received: from [98.139.52.195] by nm2.bullet.mail.ac4.yahoo.com with NNFMP; 12 Jul 2011 12:19:26 -0000 Received: from [98.139.52.185] by tm8.bullet.mail.ac4.yahoo.com with NNFMP; 12 Jul 2011 12:19:26 -0000 Received: from [127.0.0.1] by omp1068.mail.ac4.yahoo.com with NNFMP; 12 Jul 2011 12:19:26 -0000 X-Yahoo-Newman-Property: ymail-3 X-Yahoo-Newman-Id: 107110.90488.bm@omp1068.mail.ac4.yahoo.com Received: (qmail 58471 invoked by uid 60001); 12 Jul 2011 12:19:25 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1310473165; bh=Gyj2feql2O3Pr7QPnbQwjaXfmJkiGCzD5NIi6V9NBz4=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=tRfjDojX/1Y0Tna47jSIUN41inQfEXyme7+JeVUKfOdpPpNbN6HLyD6X+sKfkEeuu36FE7d+5ry0gddf0M+tDWTCwNyRaSJyFXRcsAV6nJxO20lZ44AS9z7MvtmNOgWybJLS8eUTwbygdF0OZmxEf/A/g1SJmipwyjIV2/qafOk= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=HECCBvHirdK1ryEEhu38Pf+AU7lNiab8IsqZuIyVVIe/okJ0TdIVSZJuE3KSB+RYDPjRmIFcJAxP/Bq7fl3xCHCFUIHGG3cr6UY4fN1n823sxjXNE2hmwqWji3FE/bjRabyUNSGWh9hDD4xwByR1elPNkjPcUU3i1Yspfp+QtJw=; X-YMail-OSG: sy3K9D8VM1kjiJw9CwQ5NkYyaqogDYqJtvl_ObrLuogHWD7 31qtZkQ83lv9aSxnCNeNes6FgyykSaDhmT3vsaRuZPe0GplyAttaDdpAKQSD p.VZaNyaqAsBtR2tQK.VVCBjLvw.zBGKs87Z19hc0kaiUilmdOdBGxcsO0eu XEjOTozRX7l3_JOMqKqVQH8pGERIh4lpufuvkO064u_H5DwaIiIAaNTWsgqb .2ltjkHW2z5h4UMu2tHJPXAO7Bx_sIza6UwSYNq0qn4SmQNTh1N6As7hb6RD h8lNIJzcJ...SoIvZ76PHKCWLrlUAJO8RUgoJR.3Ylh6rhJisHftf7X0NDS_ Om9g_xr1VtG7l1jULRk8Ocjb4rE0ySB.GZlcC5GjH.LEmbfWLSdVrzdsoZZR 4P9HLRh5V0qDC6JAgu142ezOsz8zo6HaG8NgHwZU8bhqZMQ9duUKrYyI88vH x0OlzWdgbuXikl2JcIIWVcvjnxWT43EjhtAAJ3CiYvx0GftuDo1eDWKflHKi uoDETrmh79VPEhYmAD51DKI7DrVHI85fIWUOw6UMyP2FKmeZLPdgS Received: from [76.108.201.66] by web36501.mail.mud.yahoo.com via HTTP; Tue, 12 Jul 2011 05:19:25 PDT X-Mailer: YahooMailRC/572 YahooMailWebService/0.8.112.307740 References: <20110711170729.GG6611@dan.emsphone.com> Message-ID: <1310473165.58370.YahooMailRC@web36501.mail.mud.yahoo.com> Date: Tue, 12 Jul 2011 05:19:25 -0700 (PDT) From: Bill Tillman To: Dan Nelson , Michael Sierchio In-Reply-To: <20110711170729.GG6611@dan.emsphone.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: IPFW Firewall NAT inbound port-redirect X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Jul 2011 12:19:27 -0000 =0A=0A=0A=0A=0A________________________________=0AFrom: Dan Nelson =0ATo: Michael Sierchio =0ACc: freebsd= -questions@freebsd.org=0ASent: Mon, July 11, 2011 1:07:31 PM=0ASubject: Re:= IPFW Firewall NAT inbound port-redirect=0A=0AIn the last episode (Jul 11),= Michael Sierchio said:=0A> Sorry for the naive question, but most of my ol= d rulesets still use=0A> natd, and I've only used built-in nat for outbound= traffic.=A0 I'd like=0A> to redirect certain ports on certain addresses to= the same ports on=0A> internal (RFC1918) addresses.=A0 The examples in the= man page aren't=0A> helpful, and the handbook still seems very natd-centri= c in its=0A> examples.=A0 Thanks in advance.=0A=0AI use this at the top of = my /etc/ipfw.conf file (re0.2 is the interface=0Acorresponding to my intern= et connection) :=0A=0Anat 123 config if re0.2 log same_ports redirect_port = tcp 10.0.0.3:22 22 =0Aadd nat 123 ip from any to any via re0.2=0A=0A, which= redirects incoming port 22 connections to 10.0.0.3.=A0 If you want to=0Are= direct more ports, add more "redirect_port tcp host:port port" expressions= =0Ato the end of your nat line.=A0 I believe you can run the nat config com= mand=0Amanually with a new list (as in "ipfw nat 123 ...") to add/remove en= tries=0Adynamically.=A0 I'm not at home to try it, and don't want to risk l= osing my=0Aremote connection if I mess up :)=0A=0A-- =0A=A0=A0=A0 Dan Nelso= n=0A=A0=A0=A0 dnelson@allantgroup.com=0A___________________________________= ____________=0Afreebsd-questions@freebsd.org mailing list=0Ahttp://lists.fr= eebsd.org/mailman/listinfo/freebsd-questions=0ATo unsubscribe, send any mai= l to "freebsd-questions-unsubscribe@freebsd.org"=0A=0A=0A=0AI have used IPF= W for many years now. As for forwarding traffic from your gateway =0Ato int= ernal machines I've always used the following in my /etc/natd.conf file:=0A= =0Adynamic=0Aredirect_port tcp 10.0.0.254:80 80 # Apache Webserver inside m= y LAN=0Aredirect_port udp 10.0.0.214:1194 1194 # OpenVPN Port=0Aredirect_po= rt tcp 10.0.0.213:443 443=A0=A0 # OpenVPN Port=0A=0AOf course you will need= a line like this in your /etc/rc.conf to get natd to =0Aread this file:=0A= =0Anatd_flags=3D"-f /etc/natd.conf"=0A