Re: [fw-wiz] FreeBSD 4.9 ipfw natd -- Port Forwarding

From: Ng Pheng Siong (ngps_at_netmemetic.com)
Date: 06/29/04

  • Next message: Stiennon,Richard: "RE: [fw-wiz] Firewalls Compared"
    To: Adam Humphrey <hump@casualritual.com>
    Date: Tue, 29 Jun 2004 10:11:59 +0800
    
    

    On Mon, Jun 28, 2004 at 06:05:41PM -0700, Adam Humphrey wrote:
    > I tried the ipfw fwd command as well with no success. It was forwarding the
    > packets perfectly but they were still addressed to the outside IP address of
    > my freeBSD server and my internal web server was dropping them because they
    > were not addressed to its IP.

    Ah, yes, natd's manpage says:

         It changes all packets destined for another host so that their source IP
         address is that of the current machine.

    This looks like where your first case is tripping up.

    And ipfw's manpage says, for 'fwd':

         In particular, the destination address remains unmodified, so packets
         forwarded to another system will usually be rejected by that system
         unless there is a matching rule on that system to capture them.

    Which is where my suggestion is tripping up in your case.

    Ok, so you want to NAT the external destination address, but keep the
    external source addresses visible to your internal destination addresses.

    You might want to try ipnat/ipfilter, then. Something like this:

      map <external-iface> 192.168.x.x/32 -> x.x.x.x/32
      rdr <external-iface> x.x.x.x/32 port 80 -> 192.168.x.x port 80 tcp

    First line NATs external address x.x.x.x to internal address 192.168.x.x.
    Second line forwards packets hitting x.x.x.x:80 to the internal address.

    It is possible to mix and match ipfw and ipfilter, because they hook into
    different spots in the packet processing code. You can keep the rest of
    your ipfw rules if you don't want to attempt to change them to ipfilter.

    Cheers.

    -- 
    Ng Pheng Siong <ngps@netmemetic.com> 
    http://firewall.rulemaker.net -+- Version Control for Cisco PIX & Netscreen 
    http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL/Zope, Blog
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Stiennon,Richard: "RE: [fw-wiz] Firewalls Compared"

    Relevant Pages

    • Re: ipf / ipfw Which to use?
      ... Ipfilter is multiplatform, ipfw is ... ipfw does not process packets in userland. ...
      (FreeBSD-Security)
    • Re: [fw-wiz] FreeBSD 4.9 ipfw natd -- Port Forwarding
      ... I tried the ipfw fwd command as well with no success. ... my freeBSD server and my internal web server was dropping them because they ... > the packets are being forwarded to a RFC 1918-addressed jail within the ... > difference between this and forwarding to an external server, ...
      (Firewall-Wizards)
    • RE: Best security topology for FreeBSD
      ... IPFilter and IPFW. ... I would use ipfilter for filtering and NAT, ... As to which one sees the packet first, packets would come in on ... had the need for traffic shaping yet... ...
      (FreeBSD-Security)
    • Re: ipf / ipfw Which to use?
      ... >>> Largely it is a matter of taste. ... Ipfilter is multiplatform, ipfw is ... > ipfw does not process packets in userland. ...
      (FreeBSD-Security)
    • Re: ipf / ipfw Which to use?
      ... >>> Largely it is a matter of taste. ... Ipfilter is multiplatform, ipfw is ... > ipfw does not process packets in userland. ...
      (FreeBSD-Security)