From owner-freebsd-questions Tue Oct 5 19:44:32 1999 Delivered-To: freebsd-questions@freebsd.org Received: from mc-qout4.whowhere.com (mc-qout4.whowhere.com [209.185.123.18]) by hub.freebsd.org (Postfix) with SMTP id 8770814D2E for ; Tue, 5 Oct 1999 19:44:25 -0700 (PDT) (envelope-from uvatha@my-deja.com) Received: from Unknown/Local ([?.?.?.?]) by my-deja.com; Tue Oct 5 19:42:42 1999 To: freebsd-questions@freebsd.org Date: Tue, 05 Oct 1999 19:42:42 -0700 From: "+ +" Message-ID: Mime-Version: 1.0 Cc: cjc@cc942873-a.ewndsr1.nj.home.com X-Sent-Mail: on Reply-To: X-Mailer: MailCity Service Subject: Re: port forwarding, again X-Sender-Ip: 24.4.254.72 Organization: My Deja Email (http://www.my-deja.com:80) Content-Type: text/plain; charset=us-ascii Content-Length: 2160 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I said: > All I need to do is forward TCP packets that arriveat > my firewall (running FreeBSD 2.2.7) on a certain port > (let's say 4000) to the same port on a machine on my > local network. It seems that I should be able to do > this by adding a single ipfw rule to my rc.firewall. Crist said: > Not in 2.2.x you can't (if my 2.2.8-STABLE system > docs are correct). However, is there a reason you > can't poke a hole in the firewall at 4000 to let > packets pass? It's a masqueraded network, so the internal addresses (10.x.x.x) are not accessable to the outside world, firewall or not. Crist also said: > People do ask this a lot. The proper tool for doing > this is natd(8). Think about it, network address > translation is really what you are trying to do here. > You want a machine behind the firewall/natd > box to have its address translated. You would use a > "divert" rule in ipfw(8) to pass traffic of interest > to natd(8) which then can then Ah-HA! That is indeed a very good pointer. From the natd man page: -redirect_port linkspec Redirect incoming connections arriving to given port to another host and port. Linkspec is of the form proto targetIP:targetPORT [aliasIP:]aliasPORT [re- moteIP[:remotePORT]] where proto is either tcp or udp, targetIP is the desired target IP number, targetPORT is the desired target PORT number, aliasPORT is the requested PORT number and aliasIP is the aliasing address. RemoteIP and remotePORT can be used to specify the connection more accurately if necessary. For example, the argument tcp inside1:telnet 6666 means that tcp packets destined for port 6666 on this machine will be sent to the telnet port on the inside1 machine. Sounds like just what I wanted. However, executing: killall natd natd -u -m -n fxp0 -redirect_port tcp 10.0.0.6:4000 4000 Did not seem to have the desired effect. (No errors were reported, it just doesn't seem to be doing the port forward.) Any more thoughts? --== Sent via Deja.com http://www.deja.com/ ==-- Share what you know. Learn what you don't. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message