From owner-freebsd-questions Tue Oct 5 18:27: 9 1999 Delivered-To: freebsd-questions@freebsd.org Received: from cc942873-a.ewndsr1.nj.home.com (cc942873-a.ewndsr1.nj.home.com [24.2.89.207]) by hub.freebsd.org (Postfix) with ESMTP id 73A0814E26 for ; Tue, 5 Oct 1999 18:27:03 -0700 (PDT) (envelope-from cjc@cc942873-a.ewndsr1.nj.home.com) Received: (from cjc@localhost) by cc942873-a.ewndsr1.nj.home.com (8.9.3/8.9.3) id VAA13971; Tue, 5 Oct 1999 21:30:02 -0400 (EDT) (envelope-from cjc) From: "Crist J. Clark" Message-Id: <199910060130.VAA13971@cc942873-a.ewndsr1.nj.home.com> Subject: Re: port forwarding, again In-Reply-To: from + + at "Oct 5, 1999 05:15:55 pm" To: uvatha@my-Deja.com (+ +) Date: Tue, 5 Oct 1999 21:30:02 -0400 (EDT) Cc: freebsd-questions@FreeBSD.ORG Reply-To: cjclark@home.com X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG + + wrote, > Hi all, > > I posted this question last week in the form of "Can > I do port forwarding with 2.2.7?" Yes, but not with ipfw(8) alone. > I'm going to post > again in the form of, "Can I do it at all?", because > I'm against a brick wall here. (No one replied to my post; I'm hoping I didn't phrase the question right.) Dunno. What often happens is no one has an exact answer, so they leave it for someone who does. No one seemed to offer one, so I'll offer what little info I have. > All I need to do is forward TCP packets that arrive at > my firewall (running FreeBSD 2.2.7) on a certain port > (let's say 4000) to the same port on a machine on my > local network. It seems that I should be able to do this by adding a single ipfw rule to my rc.firewall. Not in 2.2.x you can't (if my 2.2.8-STABLE system docs are correct). However, is there a reason you can't poke a hole in the firewall at 4000 to let packets pass? That can get the same job done. > However, the ipfw man page is cryptic and offers no > examples for my situation. Nor do any of the archives > for this list seem to tackle this exact problem. People do ask this a lot. The proper tool for doing this is natd(8). Think about it, network address translation is really what you are trying to do here. You want a machine behind the firewall/natd box to have its address translated. You would use a "divert" rule in ipfw(8) to pass traffic of interest to natd(8) which then can then forward the packets as you want. > I *really* need to get this running, hopefully soon, > and with a minimum of fuss. My order of fallbacks, > then, will be: > > 1) Learn how to do it with 2.2.7 and ipfw. I was hoping this would be easy. Just need to figure out the ipfw(8)-natd(8) combo to do it. > 2) Learn that I need a newer version of FreeBSD and > do some sort of painful upgrade. (The machine is not > really in any shape to do a "make world", > unfortunately, and it does not have a CD-ROM drive > anymore.) FreeBSD 3.x has a "fwd" action in ipfw(8). However, unless the host receiving the packet is pretty smart, this probably will not work the way you would want. The "fwd" rule _does not alter the packet_ it forwards; it does not do NATd. The "fwd" mechanism is aimed more towards proxying applications running on localhost. > 3) Learn that I cannot do it with FreeBSD. Wipe the > hard drive, install Linux, and do it with ipchains. > I'd rather not do this. If you know how to do it and are confortable with ipchains... I may incur the wrath of some on the list, but if it must get done, get it done however you know how. -- Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message