Date: Wed, 17 Feb 1999 22:38:59 -0600 From: Benjamin Gavin <gavinb@supranet.net> To: freebsd-hackers@freebsd.org Subject: Problems with ipfw/nat Message-ID: <4.1.19990217222002.03d38bc0@mail.supranet.net>
next in thread | raw e-mail | index | archive | help
Hi all, I have posted a similar question to -stable, but got a non-existent response. I'll post it here, as it relates closer to this list (I believe). The problem I have been having is with a 3.0-STABLE (~2/8/99 CVSup). I have the machine running IPFW with NAT enabled. The outgoing NAT is working fine, and traffic to the internal LAN (from the outside) is being blocked nicely. However, I know face the following problem. I need to open a port (80) to the outside world on an internal machine. I have done the same thing with port 110 (POP3), and all went just great. I have included what I believe to be the relevant configuration files below: (I am doing this from home, so the syntax may be slightly off, but I think not.) _rc.conf.site_: gateway_enable="YES" firewall_enable="YES" firewall_type="/etc/rc.firewall.local" # Contains my local firewall rules firewall_quiet="NO" natd_enable="YES" natd_interface="fxp0" # My external ethernet card natd_flags="-f /etc/rc.natd" ifconfig_fxp0="inet xxx.xxx.xxx.66 netmask 255.255.255.192" ifconfig_fxp0_alias0="inet xxx.xxx.xxx.67 netmask 255.255.255.255" ifconfig_fxp1="inet 192.168.44.1 netmask 255.255.255.0" _rc.firewall.local_: ... # Other rules # added to trace all ip traffic to and from 192.168.44.17 through me allow log ip from any to 192.168.44.17 via fxp1 allow log ip from 192.168.44.17 to any via fxp1 # needed or packets get blocked in the middle allow log tcp from any to 192.168.44.17 80 via fxp0 ... # Other rules _rc.natd_: use_sockets yes same_ports yes dynamic yes # Redirect requests for port 80 on xxx.xxx.xxx.67 to 192.168.44.17:80 redirect_port 192.168.44.17:80 xxx.xxx.xxx.67:80 Here is the problem. Watching the logs (/var/log/messages) I see the port getting redirected and what looks like the packet leaving the interface to go to 192.168.44.17. However, I don't ever see that packet hit the web server. Is there something I am doing wrong? From the firewall I can get to the internal web server by using 192.168.44.17, but I can't get to it from outside. I don't see any response from the web server coming back into the firewall on either type of request (from the firewall itself, or from outside.) Any ideas?? Please, I am at a loss, this worked perfectly for POP3, but not for http? Or is it possibly something gone awry in the -STABLE version I am running? I was running an earlier version of -STABLE on the box with POP3 working. TIA, and sorry for the rather long message. Ben Gavin --------------------------------- Benjamin Gavin http://www.virtual-olympus.com/ *** Down with SPAM! *** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.1.19990217222002.03d38bc0>