Date: Fri, 9 Mar 2001 02:39:46 -0600 From: Andrew Hesford <ajh3@chmod.ath.cx> To: Pablo Bendersky <pbendersky@itineri.com> Cc: freebsd-questions@freebsd.org Subject: Re: Problem setting up NAT Message-ID: <20010309023946.A19665@cec.wustl.edu> In-Reply-To: <JPEAKMLHKPBJHAEBDFIEAECOCCAA.pbendersky@itineri.com>; from pbendersky@itineri.com on Thu, Mar 08, 2001 at 12:07:00PM -0300 References: <JPEAKMLHKPBJHAEBDFIEAECOCCAA.pbendersky@itineri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Below you will find a copy of my ipfw ruleset. I have one external IP connected via ed0, and an internal address on dc0. The internal address connects to my hub, and handles nat. Incoming requests from the outside world on ports 22, 25, and 80 are forwarded to a machine inside. Check to make sure your rules are similar. For natd, I run `natd -redirect_port tcp 192.168.1.5:22 22 -redirect_port tcp 192.168.1.5:25 25 -redirect_port tcp 192.168.1.5:80 80 -interface ed0`. Also, a word of advice. I've always found keep-state and check-state easier to manage than established and setup... in particular, keep-state and check-state apply to all protocols. My ruleset allows anything to go out and come back, but nothing comes in except ssh, smtp, and sendmail (try to ping chmod.ath.cx if you don't believe me). Also, if you are going to setup all tcp connections and allow the other protocols, it would be easier to drop the last three rules you've added and replace them with: allow ip from any to any Now for my rules: 00100 deny ip from 192.168.1.0/24 to any in recv ed0 00200 deny ip from 24.217.0.0/16 to any in recv dc0 00300 deny ip from any to 10.0.0.0/8 via ed0 00400 deny ip from any to 172.16.0.0/12 via ed0 00500 deny ip from any to 192.168.0.0/16 via ed0 00600 deny ip from any to 0.0.0.0/8 via ed0 00700 deny ip from any to 168.254.0.0/16 via ed0 00800 deny ip from any to 192.0.2.0/24 via ed0 00900 deny ip from any to 224.0.0.0/4 via ed0 01000 deny ip from any to 240.0.0.0/4 via ed0 01100 divert 8668 ip from any to any via ed0 01200 deny ip from any to 10.0.0.0/8 via ed0 01300 deny ip from any to 172.16.0.0/12 via ed0 01400 deny ip from any to 0.0.0.0/8 via ed0 01500 deny ip from any to 168.254.0.0/16 via ed0 01600 deny ip from any to 192.0.2.0/24 via ed0 01700 deny ip from any to 224.0.0.0/4 via ed0 01800 deny ip from any to 240.0.0.0/4 via ed0 01900 check-state 02000 allow ip from any to any frag 02100 allow tcp from any to 24.217.0.0/16 80 keep-state 02200 allow tcp from any to 24.217.0.0/16 22 keep-state 02300 allow tcp from any to 24.217.0.0/16 25 keep-state 02400 allow tcp from any to 192.168.1.5 80 keep-state 02500 allow tcp from any to 192.168.1.5 22 keep-state 02600 allow tcp from any to 192.168.1.5 25 keep-state 02700 unreach host tcp from any to any 113 keep-state in recv ed0 02800 deny ip from any to any in recv ed0 02900 allow ip from any to any keep-state 65535 deny ip from any to any On Thu, Mar 08, 2001 at 12:07:00PM -0300, Pablo Bendersky wrote: > Now, I wanted to make use of a external IP address I have, so I added > it as an alias to xl1. It works ok, and I can ping it from everywhere. > I then tried to make nat forward telnet service (Which, by the way is not > running on this machine) to one of our local machines. > For that, I tried with: > /sbin/natd -redirect_port tcp 192.168.0.4:23 <alias_ip>:23 -n xl1 > > After that, I was still able to ping the alias IP, and everything, but not > able to telnet the localhost. (Which I can telnet from any computer on the > local network) -- Andrew Hesford ajh3@chmod.ath.cx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010309023946.A19665>