From owner-freebsd-security  Tue May 14  9:44:34 2002
Delivered-To: freebsd-security@freebsd.org
Received: from CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com (CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com [24.103.39.131])
	by hub.freebsd.org (Postfix) with SMTP id 054A137B406
	for <freebsd-security@freebsd.org>; Tue, 14 May 2002 09:44:29 -0700 (PDT)
Received: (qmail 238 invoked from network); 14 May 2002 16:45:27 -0000
Received: from unknown (HELO vsivyoung) (66.46.21.253)
  by cpe0004761ac738-cm00109515bc65.cpe.net.cable.rogers.com with SMTP; 14 May 2002 16:45:27 -0000
Message-ID: <037d01c1fb66$e405dcf0$c801a8c0@vsivyoung>
From: "Miroslav Pendev" <shadow@CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com>
To: "Michael Sierchio" <kudzu@tenebras.com>
Cc: <freebsd-security@freebsd.org>
References: <030301c1fb56$ef9fefc0$c801a8c0@vsivyoung> <3CE12690.1060102@tenebras.com>
Subject: Re: ipfw + nat + port_redirect - works, but not for the internal net
Date: Tue, 14 May 2002 11:16:31 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> Miroslav Pendev wrote:
> 
> > I have FreeBSD 4.5 RELEASE as Firewall with two NICs:
> 
> > For simplicity lets assume that the firewall type is *open*.
> 
> I find it simpler not to make assumptions -- perhaps you'd like
> to explicitly state:  the fw rule set, your natd settings,
> what port a process in listening on at the target machine,
> and whether the target machine has a default route that goes
> through your nat box.
> 
OK, the firewall type IS *open*

in rc.conf I have this:
=======================
#ftp server
natd_flags="-redirect_port tcp 192.168.1.100:21 21" 
#apache server
natd_flags="-redirect_port tcp 192.168.1.100:80 9090" 

192.168.1.21 - default gateway (FreeBSD Firewall NAT 
- internal interface xl1)

In the internal network:
========================
192.168.1.100:21 - ftp server
192.168.1.100:80 - apache web server

192.168.1.90 - host in the internal network trying to
reach the external interface of the firewall on port 9090 or 21
(192.168.1.21- default gateway)

--Miro


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message