From owner-freebsd-newbies@FreeBSD.ORG Thu Mar 4 16:19:46 2004 Return-Path: Delivered-To: freebsd-newbies@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7222F16A4CE for ; Thu, 4 Mar 2004 16:19:46 -0800 (PST) Received: from smtp-out4.blueyonder.co.uk (smtp-out4.blueyonder.co.uk [195.188.213.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 703F943D2D for ; Thu, 4 Mar 2004 16:19:45 -0800 (PST) (envelope-from jfm@blueyonder.co.uk) Received: from lexx ([82.37.145.193]) by smtp-out4.blueyonder.co.uk with Microsoft SMTPSVC(5.0.2195.5600); Fri, 5 Mar 2004 00:19:43 +0000 From: John Murphy To: newbies@freebsd.org Date: Fri, 05 Mar 2004 00:19:43 +0000 Message-ID: <6lgf405em8s4bhn8afjiin1hipijaud741@4ax.com> References: <1078351798.683.6.camel@falter> <20040304012257.67135.qmail@web42004.mail.yahoo.com> In-Reply-To: <20040304012257.67135.qmail@web42004.mail.yahoo.com> X-Mailer: Forte Agent 1.9/32.560 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-OriginalArrivalTime: 05 Mar 2004 00:19:43.0553 (UTC) FILETIME=[8ED5DB10:01C40247] cc: d3javu1978@yahoo.com Subject: Re: IPFilter and IPnat X-BeenThere: freebsd-newbies@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: jfm@blueyonder.co.uk List-Id: Gathering place for new users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 05 Mar 2004 00:19:46 -0000 Me wrote: >Hello every one, >I'm trying to use ipnat to redirect in comming http >connections to my server running apache. > >I can connect to it internally http://192.168.1.1 >this is my setup. > >xl0 =3D NIC connected to ISP >vr0 =3D 192.168.1.2 (my gateway) > >my ipnat.conf file looks like this: > >map xl0 0/32 -> 192.168.1.0/24 >rdr xl0 0/32 port 80 -> 192.168.1.1 port 80 > >I have added the following rule at the biggining of my >ipf.conf incomming connections group on xl0: > >pass in quick on xl0 proto tcp from any to 192.168.1.1 >port =3D 80 flags S keep state I'm no expert (you should ask the questions@freebsd.org list) but I think you'll find the ipnat rules are actioned after the ipf rules so the filter should not see anything trying to connect to an RFC1918 address. It should certainly block anything trying to connect to such IPs. So try it (preferably) with: pass in quick on xl0 proto tcp from any to [your external IP] port =3D 80 Or: pass in quick on xl0 proto tcp from any to any port =3D 80 (I don't think you need the keep state for incoming.) --=20 HTH, John.