Date: Fri, 05 Mar 2004 00:19:43 +0000 From: John Murphy <jfm@blueyonder.co.uk> To: newbies@freebsd.org Cc: d3javu1978@yahoo.com Subject: Re: IPFilter and IPnat Message-ID: <6lgf405em8s4bhn8afjiin1hipijaud741@4ax.com> In-Reply-To: <20040304012257.67135.qmail@web42004.mail.yahoo.com> References: <1078351798.683.6.camel@falter> <20040304012257.67135.qmail@web42004.mail.yahoo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Me <d3javu1978@yahoo.com> wrote: >Hello every one, >I'm trying to use ipnat to redirect in comming http >connections to my server running apache. > >I can connect to it internally http://192.168.1.1 >this is my setup. > >xl0 =3D NIC connected to ISP >vr0 =3D 192.168.1.2 (my gateway) > >my ipnat.conf file looks like this: > >map xl0 0/32 -> 192.168.1.0/24 >rdr xl0 0/32 port 80 -> 192.168.1.1 port 80 > >I have added the following rule at the biggining of my >ipf.conf incomming connections group on xl0: > >pass in quick on xl0 proto tcp from any to 192.168.1.1 >port =3D 80 flags S keep state I'm no expert (you should ask the questions@freebsd.org list) but I think you'll find the ipnat rules are actioned after the ipf rules so the filter should not see anything trying to connect to an RFC1918 address. It should certainly block anything trying to connect to such IPs. So try it (preferably) with: pass in quick on xl0 proto tcp from any to [your external IP] port =3D 80 Or: pass in quick on xl0 proto tcp from any to any port =3D 80 (I don't think you need the keep state for incoming.) --=20 HTH, John.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6lgf405em8s4bhn8afjiin1hipijaud741>