Date: Fri, 21 Sep 2001 21:54:53 -0700 From: "Crist J. Clark" <cristjc@earthlink.net> To: SNF <snf_lists@yahoo.com> Cc: Freebsd-Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: IPFW/NATD - forward all port 25, 110, 143 connections to an internal 10 series server Message-ID: <20010921215453.H980@blossom.cjclark.org> In-Reply-To: <LOBBKFILCMGGNDCBBCELCENOECAA.snf_lists@yahoo.com>; from snf_lists@yahoo.com on Fri, Sep 21, 2001 at 09:18:30PM -0500 References: <20010921160051.E980@blossom.cjclark.org> <LOBBKFILCMGGNDCBBCELCENOECAA.snf_lists@yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Sep 21, 2001 at 09:18:30PM -0500, SNF wrote:
> <snip>
> > > set up in a rule.) Or, is this something that would be more
> > appropriately
> > > done using a different type of rule? I will eventually want to
> > do the same
> > > thing with a web server or two...
> >
> > The 'fwd' rules do not work how you expect. ipfw(8) does not change
> > the contents of the packet. You want to do natd(8) 'redirect_port'
> > within natd(8).
> > --
> > Crist J. Clark cjclark@alum.mit.edu
> <end>
>
> I guess I am still not clear on how I am to implement this. I have a
> firewall set up on the server, but at the same time I am allowing divert(8)
> to divert all connections from inside the network through the single outside
> interface using the following instruction in my ipfw commands:
>
> ${fwcmd} add divert natd all from any to any via ${natd_interface}
Right, this is how you get packets to natd(8) for NAT processing.
> I then have a script for natd (called natd.conf which is called in rc.conf
> through the following line:
>
> natd_flags="-f /etc/natd.conf" # Additional flags for natd)
>
> That script contains the following:
>
> # natd.conf
> use_sockets yes
> same_ports yes
>
> and that is it. If I understand you correctly, everything is already set up
> correctly and I simply need to add more to the natd.conf file - like:
>
> redirect_port tcp 10.10.20.40:pop3 pop3
> redirect_port tcp 10.10.20.40:imap imap
> redirect_port tcp 10.10.20.40:smtp smtp
Looks pretty good. If 10.10.20.40 is providing all services, you could
do a single,
redirect_address 10.10.20.40 0.0.0.0
> Would this then handle the response that 10.10.20.40 gives to the client?
> Or, does natd "know" to send the response to the client making the request?
That's what natd(8) does.
> And, if I am understanding correctly, this would only affect incoming
> connections to 24.159.225.186 pop3/smtp/imap?
For the configuration you gave, if 24.159.225.186 is the address on
${natd_interface}, yes.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010921215453.H980>