Date: Fri, 28 Jul 2006 23:35:14 +0300 From: vladone <vladone@spaingsm.com> To: ipfw@freebsd.org Subject: Re: ipfw and natd routing problems Message-ID: <44756092.20060728233514@spaingsm.com> In-Reply-To: <28745bbf0607280412tdff38dck9df78fd0fc363fff@mail.gmail.com> References: <28745bbf0607270947i6d71369fg5c1403b2d6e36219@mail.gmail.com> <28745bbf0607280412tdff38dck9df78fd0fc363fff@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Adam, Friday, July 28, 2006, 2:12:32 PM, you wrote: > Hi, > I've recently installed FreeBSD on a Soekris Net 4801 to act as my > LAN's router. I have got natd and ipfw working fine (there was > originally some trouble with getting an IP from NTL via dhcp because I > hadn't allowed the cable modem's ip to talk to the router, or NTL's > dhcp servers to also talk to the router). My only problem now is that > although connections going out through natd work fine, natd port > forwarding does not work correctly. I am not sure whether this is a > problem with natd or just my ipfw rule(s), though I am more inclined > to believe it is ipfw! > ipfw and natd are enabled in /etc/rc.conf through the following lines: > #enable firewall > firewall_enable="YES" > #path to rules > firewall_type="/etc/fw/firewall.rules" > #be non-verbose? > firewall_quiet="NO" > #enable natd > natd_enable="YES" > #natd interface > natd_interface="sis0" > #flags for natd > natd_flags="-f /etc/fw/natd.conf" > Below is my ipfw natd rule, and the natd.conf file: > [ipfw] > # check if incoming packets belong to a natted session, allow through if yes > add 01000 divert natd ip from any to any in via sis0 > add 01001 check-state > [natd.conf] > unregistered_only > interface sis0 > use_sockets > dynamic > punch_fw 2000:100 > same_ports > redirect_port tcp 192.168.0.5:80 80 > redirect_port tcp 192.168.0.5:6700-6725 6700-6725 > When trying to access port 80 (the httpd) externally, the connection > just times out, as does any other connection. Any help would be > greatly appreciated! > Adam > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" U need to add an natd rules and for outgoing packets, not only for for incoming. So u need an rule like this at the end of rules add 05000 divert natd ip from any to any out via sis0 With two rules for natd (one for incoming and another for outgoing) u can control more exactly traffic flow. Else u can us an single natd rule at begining like this add 1000 divert natd all from any to any via sis0 -- Best regards, vladone mailto:vladone@spaingsm.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44756092.20060728233514>