Re: [fw-wiz] FreeBSD 4.9 ipfw natd -- Port Forwarding

From: Adam Humphrey (hump_at_casualritual.com)
Date: 06/29/04

  • Next message: Ng Pheng Siong: "Re: [fw-wiz] FreeBSD 4.9 ipfw natd -- Port Forwarding"
    To: Ng Pheng Siong <ngps@netmemetic.com>, Adam Humphrey <hump@casualritual.com>
    Date: Mon, 28 Jun 2004 18:05:41 -0700
    
    

    I tried the ipfw fwd command as well with no success. It was forwarding the
    packets perfectly but they were still addressed to the outside IP address of
    my freeBSD server and my internal web server was dropping them because they
    were not addressed to its IP.

    Thanks for the help.

    Regards,

    Adam

    > From: Ng Pheng Siong <ngps@netmemetic.com>
    > Date: Tue, 29 Jun 2004 08:22:41 +0800
    > To: Adam Humphrey <hump@casualritual.com>
    > Cc: <firewall-wizards@honor.icsalabs.com>
    > Subject: Re: [fw-wiz] FreeBSD 4.9 ipfw natd -- Port Forwarding
    >
    > On Fri, Jun 25, 2004 at 05:27:18PM -0700, Adam Humphrey wrote:
    >> Natd.conf:
    >> redirect_port tcp 192.168.1.101:80 80
    >>
    >> But now my web logs show everything coming from my firewall's external IP
    >> address and not the actual IP of the request.
    >>
    >> How do I get the original IP for the request to pass though my firewall and
    >> get my log files displaying the appropriate source IP addresses?
    >
    > I use 'ipfw fwd', no NAT. I don't see the problem you describe. In my case
    > the packets are being forwarded to a RFC 1918-addressed jail within the
    > same box. Purely from a packet flow perspective I think there is no
    > difference between this and forwarding to an external server, although I
    > can't rule out the involvement of some magic kernel knobs and I haven't
    > read the code in a while.
    >
    > Example from my /etc/rc.firewall.rules:
    >
    > add <number> fwd 192.168.x.x tcp from any to x.x.x.x 80 keep-state setup
    >
    > See manpage for more info on 'fwd'.
    >
    > HTH. Cheers.
    >
    > --
    > Ng Pheng Siong <ngps@netmemetic.com>
    >
    > http://firewall.rulemaker.net -+- Version Control for Cisco PIX & Netscreen
    > http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL/Zope, Blog
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Ng Pheng Siong: "Re: [fw-wiz] FreeBSD 4.9 ipfw natd -- Port Forwarding"

    Relevant Pages

    • Re: [fw-wiz] FreeBSD 4.9 ipfw natd -- Port Forwarding
      ... It was forwarding the ... Second line forwards packets hitting x.x.x.x:80 to the internal address. ... It is possible to mix and match ipfw and ipfilter, ...
      (Firewall-Wizards)
    • Re: IPS Placement
      ... sending these thirteen packets every, say, 15 ... server as a caching/forwarder. ... this isn't the only attack ... small operator probably is defaulting to a forwarding mode, ...
      (comp.security.firewalls)
    • Re: load balance ordinary traffic
      ... > packets after forwarding will pass ipfw again. ... Can you pass along more details on how you have ipfilter set up? ...
      (freebsd-net)
    • Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility)
      ... For simple using, however, you don't need to bother all that details - just remember magic number and where to place it, and it is now simple for use with ipfw tags. ... Currently the only analyzing node in FreeBSD src tree is ng_bpf, but it merely splits incoming packets in two streams, matched and not. ... There are reasons to this, as netgraph needs to be modular, and each node does a small thing, but does it well. ... For long time ng_bpf was used for another purposes in the kernel, and now, as new ipfw features appeared, ng_tag came up for easy integration. ...
      (freebsd-current)
    • Re: [PATCH] ng_tag - new netgraph node, please test (L7 filtering possibility)
      ... For simple using, however, you don't need to bother all that details - just remember magic number and where to place it, and it is now simple for use with ipfw tags. ... Currently the only analyzing node in FreeBSD src tree is ng_bpf, but it merely splits incoming packets in two streams, matched and not. ... There are reasons to this, as netgraph needs to be modular, and each node does a small thing, but does it well. ... For long time ng_bpf was used for another purposes in the kernel, and now, as new ipfw features appeared, ng_tag came up for easy integration. ...
      (freebsd-isp)