From owner-freebsd-questions@FreeBSD.ORG Sun Dec 28 15:39:22 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BEF771065673 for ; Sun, 28 Dec 2008 15:39:22 +0000 (UTC) (envelope-from usleepless@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.227]) by mx1.freebsd.org (Postfix) with ESMTP id 8AA968FC1B for ; Sun, 28 Dec 2008 15:39:22 +0000 (UTC) (envelope-from usleepless@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so5641035rvf.43 for ; Sun, 28 Dec 2008 07:39:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type:references; bh=lC/CPwsmA7eqEEFL7VbdYU18LbTAjtHFTwHjYVhpt9I=; b=GntVSDfOTI59banTtMxzqZL/JWfxttMcaSNewMQMeUDUPXgFTASwviW59gczDCxc02 TWBP1Rd9jCnf38H0x82fnA89Z0emDvD5hqQynt0f4GIIx4roPbKpCa9pcNbM3ojRj8U7 kGdhANxetEu2tiNUAdrFhkQhx9XqIy90Jibes= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:references; b=HQ9MEBAekKfA0zajS4Etm1OXB+Kw5zJztHraeqy5BVXPmvAlE71+1Zu41Wcqm8QCfg yVmJbj1zvQIg6UUn1UBA+Dni4NkiJ8Tn8g0m4Od80QQN1QtRqm3CxrqGpZw2OGJ70Jv4 8hM6I9cnA5gHdq1M+rYE1pxETM2qc37Zbu7Tk= Received: by 10.142.116.12 with SMTP id o12mr5267148wfc.332.1230478762191; Sun, 28 Dec 2008 07:39:22 -0800 (PST) Received: by 10.142.166.4 with HTTP; Sun, 28 Dec 2008 07:39:22 -0800 (PST) Message-ID: Date: Sun, 28 Dec 2008 16:39:22 +0100 From: usleepless@gmail.com To: "Richard Yang" In-Reply-To: MIME-Version: 1.0 References: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: questions@freebsd.org Subject: Re: nat and ipfw, port forwarding X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Dec 2008 15:39:22 -0000 Hi Richard, On Sun, Dec 28, 2008 at 2:30 AM, Richard Yang wrote: > thank you, usleep (nice name)i somehow made it work by > 1. add "redirect_port udp 10.0.0.200:50000 50000" in natd.conf > 2. allow all traffic and diversion in ipfw.rules > > i tried to limit the traffic by modifying the rules in ipfw.rules, > but unsuccessfully. so i just leave it be at this moment. > i am very confused by the roles of natd and ipfw, and how they should work > together. > As far as i understand it ( anyone please correct me if i am wrong ) : There are two types of NAT in FreeBSD to choose from: 1. Natd, which is a userspace daemon. You need to include a divert rule in your ipfw-config which looks like this: #ipfw add 100 divert natd all from any to any via $oif ( $oif stands for outside-interface ) After your packet has been diverted to natd, the NATed package is inserted once again into the firewall to be checked again. Port redirection etc is configured in natd.conf. 2. Kernel NAT, which is part of IPFW. This is what i was referring to in my last message. You set it up through rc.conf ( see man page ). There is no need for a divert-rule. Port redirection etc is configured with ipnat ( store your config in /etc/ipnat.conf ). And please, do not top-post. regards, usleep > > rich > > > On Sat, Dec 27, 2008 at 8:40 AM, wrote: > >> Hi Ricard, >> >> On Fri, Dec 26, 2008 at 9:27 PM, Richard Yang wrote: >> >>> hi, >>> i have a ssh machine behind a freebsd firewall with nat and ipfw. >>> how do i make port forwarding so internet can access the ssh machine? >>> thanx >>> >> >> i think you need to configure /etc/ipnat.conf ( read 'man ipnat' ). this >> is a example definition: >> rdr em1 0.0.0.0/0 port 2223 -> 192.168.1.96 port 22 >> >> ( this redirects incoming traffic on outside-interface em1 port 2223 to an >> internal machine on port 22 ) >> >> also, include "firewall_nat_enable" in your rc.conf ( read 'man rc.conf' ) >> >> to configure the settings from ipnat.conf, run "ipnat -C -f >> /etc/ipnat.conf" >> >> regards, >> >> usleep >> >>> >>> >> > >