Re: [fw-wiz] FreeBSD 4.9 ipfw natd -- Port Forwarding

From: Ng Pheng Siong (
Date: 06/29/04

  • Next message: Stiennon,Richard: "RE: [fw-wiz] Firewalls Compared"
    To: Adam Humphrey <>
    Date: Tue, 29 Jun 2004 10:11:59 +0800

    On Mon, Jun 28, 2004 at 06:05:41PM -0700, Adam Humphrey wrote:
    > I tried the ipfw fwd command as well with no success. It was forwarding the
    > packets perfectly but they were still addressed to the outside IP address of
    > my freeBSD server and my internal web server was dropping them because they
    > were not addressed to its IP.

    Ah, yes, natd's manpage says:

         It changes all packets destined for another host so that their source IP
         address is that of the current machine.

    This looks like where your first case is tripping up.

    And ipfw's manpage says, for 'fwd':

         In particular, the destination address remains unmodified, so packets
         forwarded to another system will usually be rejected by that system
         unless there is a matching rule on that system to capture them.

    Which is where my suggestion is tripping up in your case.

    Ok, so you want to NAT the external destination address, but keep the
    external source addresses visible to your internal destination addresses.

    You might want to try ipnat/ipfilter, then. Something like this:

      map <external-iface> 192.168.x.x/32 -> x.x.x.x/32
      rdr <external-iface> x.x.x.x/32 port 80 -> 192.168.x.x port 80 tcp

    First line NATs external address x.x.x.x to internal address 192.168.x.x.
    Second line forwards packets hitting x.x.x.x:80 to the internal address.

    It is possible to mix and match ipfw and ipfilter, because they hook into
    different spots in the packet processing code. You can keep the rest of
    your ipfw rules if you don't want to attempt to change them to ipfilter.


    Ng Pheng Siong <> -+- Version Control for Cisco PIX & Netscreen -+- M2Crypto, ZServerSSL/Zope, Blog
    firewall-wizards mailing list

  • Next message: Stiennon,Richard: "RE: [fw-wiz] Firewalls Compared"