Re: [fw-wiz] FreeBSD 4.9 ipfw natd -- Port Forwarding
From: Ng Pheng Siong (ngps_at_netmemetic.com)
To: Adam Humphrey <email@example.com> Date: Tue, 29 Jun 2004 10:11:59 +0800
On Mon, Jun 28, 2004 at 06:05:41PM -0700, Adam Humphrey wrote:
> I tried the ipfw fwd command as well with no success. It was forwarding the
> packets perfectly but they were still addressed to the outside IP address of
> my freeBSD server and my internal web server was dropping them because they
> were not addressed to its IP.
Ah, yes, natd's manpage says:
It changes all packets destined for another host so that their source IP
address is that of the current machine.
This looks like where your first case is tripping up.
And ipfw's manpage says, for 'fwd':
In particular, the destination address remains unmodified, so packets
forwarded to another system will usually be rejected by that system
unless there is a matching rule on that system to capture them.
Which is where my suggestion is tripping up in your case.
Ok, so you want to NAT the external destination address, but keep the
external source addresses visible to your internal destination addresses.
You might want to try ipnat/ipfilter, then. Something like this:
map <external-iface> 192.168.x.x/32 -> x.x.x.x/32
rdr <external-iface> x.x.x.x/32 port 80 -> 192.168.x.x port 80 tcp
First line NATs external address x.x.x.x to internal address 192.168.x.x.
Second line forwards packets hitting x.x.x.x:80 to the internal address.
It is possible to mix and match ipfw and ipfilter, because they hook into
different spots in the packet processing code. You can keep the rest of
your ipfw rules if you don't want to attempt to change them to ipfilter.
-- Ng Pheng Siong <firstname.lastname@example.org> http://firewall.rulemaker.net -+- Version Control for Cisco PIX & Netscreen http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL/Zope, Blog _______________________________________________ firewall-wizards mailing list email@example.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards