Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 28 Dec 2008 16:39:22 +0100
From:      usleepless@gmail.com
To:        "Richard Yang" <kusanagiyang@gmail.com>
Cc:        questions@freebsd.org
Subject:   Re: nat and ipfw, port forwarding
Message-ID:  <c39ec84c0812280739w3f639c40od7b8117e90414cf9@mail.gmail.com>
In-Reply-To: <abd417bf0812271730n47c7a495udce5b83999018ece@mail.gmail.com>
References:  <abd417bf0812261227s52c0e950o2821ade2951abc5c@mail.gmail.com> <c39ec84c0812270840r2d66c423p7c9929e2705322e8@mail.gmail.com> <abd417bf0812271730n47c7a495udce5b83999018ece@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi Richard,

On Sun, Dec 28, 2008 at 2:30 AM, Richard Yang <kusanagiyang@gmail.com>wrote:

> thank you, usleep (nice name)i somehow made it work by
> 1. add "redirect_port udp 10.0.0.200:50000 50000" in natd.conf
> 2. allow all traffic and diversion in ipfw.rules
>
> i tried to limit the traffic by modifying the rules in ipfw.rules,
> but unsuccessfully. so i just leave it be at this moment.
> i am very confused by the roles of natd and ipfw, and how they should work
> together.
>

As far as i understand it ( anyone please correct me if i am wrong ) :

There are two types of NAT in FreeBSD to choose from:

1. Natd, which is a userspace daemon. You need to include a divert rule in
your ipfw-config which looks like this:

#ipfw add 100 divert natd all from any to any via $oif ( $oif stands for
outside-interface )

After your packet has been diverted to natd, the NATed package is inserted
once again into the firewall to be checked again.

Port redirection etc is configured in natd.conf.

2. Kernel NAT, which is part of IPFW.

This is what i was referring to in my last message. You set it up through
rc.conf ( see man page ).

There is no need for a divert-rule.

Port redirection etc is configured with ipnat ( store your config in
/etc/ipnat.conf ).

And please, do not top-post.

regards,

usleep



>
> rich
>
>
> On Sat, Dec 27, 2008 at 8:40 AM, <usleepless@gmail.com> wrote:
>
>> Hi Ricard,
>>
>> On Fri, Dec 26, 2008 at 9:27 PM, Richard Yang <kusanagiyang@gmail.com>wrote:
>>
>>> hi,
>>> i have a ssh machine behind a freebsd firewall with nat and ipfw.
>>> how do i make port forwarding so internet can access the ssh machine?
>>> thanx
>>>
>>
>> i think you need to configure /etc/ipnat.conf ( read 'man ipnat' ). this
>> is a example definition:
>> rdr em1 0.0.0.0/0 port 2223 -> 192.168.1.96 port 22
>>
>> ( this redirects incoming traffic on outside-interface em1 port 2223 to an
>> internal machine on port 22 )
>>
>> also, include "firewall_nat_enable" in your rc.conf ( read 'man rc.conf' )
>>
>> to configure the settings from ipnat.conf, run "ipnat -C -f
>> /etc/ipnat.conf"
>>
>> regards,
>>
>> usleep
>>
>>>
>>>
>>
>
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?c39ec84c0812280739w3f639c40od7b8117e90414cf9>