Date: 28 Feb 2005 09:29:13 -0500 From: Lowell Gilbert <freebsd-questions-local@be-well.ilk.org> To: Deling Ren <lg+freebsd@home.homeunix.org> Cc: freebsd-questions@freebsd.org Subject: Re: Question about ipfw, natd and port forwarding. Message-ID: <44d5ukzrk6.fsf@be-well.ilk.org> In-Reply-To: <20050225233650.X66135@sun.home.homeunix.org> References: <20050225233650.X66135@sun.home.homeunix.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Deling Ren <lg+freebsd@home.homeunix.org> writes: > Hi all, I am trying to setup a NAT box for my home network on freebsd 5.3. > I am using ipfw and natd. I already got nat running but I am having > problem with port forwarding. I am trying to forward port 80 on the nat > box to an internal machine (192.168.0.7). I have the following as part of > natd_flags: > > -redirect_port tcp 192.168.0.7:80 xx.xx.xx.xx:80 > > where xx.xx.xx.xx is the external IP of the nat box. > > Using the following ipfw rules: > > 00050 divert 8668 ip from any to any via sis0 > 65535 allow ip from any to any > > I have no problem connecting port 80 on the nat box from outside. But as I > added stateful ipfw rules, it stops working. Running nmap from outside > says port 80 is filtered. I am not sure how to configure the rules to > enable port forwarding. Any help will be appreciated. Thanks. > > Deling > > Here are my ipfw rules: > > 00005 allow ip from any to any via $iif > 00010 allow ip from any to any via lo0 > 00014 divert 8668 ip from any to any in via $oif > > 00015 check-state > > 00060 skipto 800 tcp from any to any out via $oif setup keep-state > 00080 skipto 800 icmp from any to any out via $oif keep-state > 00130 skipto 800 udp from any to any out via $oif keep-state > > 00340 allow icmp from any to me in via $oif keep-state > > 00360 allow tcp from any to any dst-port 80 in via $oif setup keep-state > 00380 allow tcp from any to me dst-port 22 in via $oif setup limit > src-addr 5 > > 00400 deny log logamount 5 ip from any to any in via $oif > 00450 deny log logamount 5 ip from any to any out via $oif > > 00800 divert 8668 ip from any to any out via $oif > 00801 allow ip from any to any > 00999 deny log logamount 5 ip from any to any Stateful rules are quite tricky in combination with address rewriting, because the state being saved won't match the packet after it's passed through the rewriting. This rule set seems to handle that by splitting the redirect rule into one for each direction, but I'd still look in that direction for the trouble. Try removing the log limits and seeing what happens when an HTTP packet gets dropped.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44d5ukzrk6.fsf>