Date: Fri, 21 Sep 2001 16:00:51 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: SNF <snf_lists@yahoo.com> Cc: Freebsd-Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: IPFW/NATD - forward all port 25, 110, 143 connections to an internal 10 series server Message-ID: <20010921160051.E980@blossom.cjclark.org> In-Reply-To: <LOBBKFILCMGGNDCBBCELOENDECAA.snf_lists@yahoo.com>; from snf_lists@yahoo.com on Fri, Sep 21, 2001 at 04:34:00PM -0500 References: <LOBBKFILCMGGNDCBBCELOENDECAA.snf_lists@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 21, 2001 at 04:34:00PM -0500, SNF wrote:
> Hi,
>
> I currently have a FreeBSD 4.3 machine that is running ipfw and natd. Two
> physically separate interfaces are installed on the machine providing an
> interior 10. series network with access to the external world (internet).
> My provider only provides us with one IP and 5 more would double my monthly
> costs. So, I need to use that one IP for dns, email and web serving... I
> have a qmail server set up with a private address on the inside and would
> like to forward all port 25, 110 and 143 connections coming to the outside
> interface (24.159.225.186) to that server (10.10.20.40). The crux that I
> see is that I still need to allow normal client access (from that 10.20.20
> network) to email servers outside of my network. So, if someone from the
> inside wants to go to pop.mail.yahoo.com or smtp.mail.yahoo.com, I would
> like that connection to be forwarded to the server (as it has been and has
> been working since I set up the gateway/firewall/natd box). On the other
> hand, when someone tries to access port 25, 110 or 143 specifically on
> 24.159.225.186, I would like to have that forwarded to 10.10.20.40. I have
> to recompile my kernel to add the IPFIREWALL_FORWARD option and I'm simply
> not sure how to set up the rule correctly. Would something along the lines
> of
>
> (for pop)
> ${fwcmd} add forward tcp from 24.159.225.186 25 to 10.10.20.40 25 via
> 10.10.20.1
>
> or is there going to be much more needed? (All connections from the inside
> are allowed to outgoing machines, so I didn't think I would need the
> opposite of this rule allowing the return connection from 10.10.20.40 to be
> set up in a rule.) Or, is this something that would be more appropriately
> done using a different type of rule? I will eventually want to do the same
> thing with a web server or two...
The 'fwd' rules do not work how you expect. ipfw(8) does not change
the contents of the packet. You want to do natd(8) 'redirect_port'
within natd(8).
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010921160051.E980>