From owner-freebsd-questions@FreeBSD.ORG Mon Jul 11 17:07:39 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8D7301065673 for ; Mon, 11 Jul 2011 17:07:39 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from email2.allantgroup.com (email2.emsphone.com [199.67.51.116]) by mx1.freebsd.org (Postfix) with ESMTP id 519368FC08 for ; Mon, 11 Jul 2011 17:07:36 +0000 (UTC) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by email2.allantgroup.com (8.14.4/8.14.4) with ESMTP id p6BH7XrM031207 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 11 Jul 2011 12:07:33 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.5/8.14.5) with ESMTP id p6BH7WFT031921 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 11 Jul 2011 12:07:32 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.5/8.14.5/Submit) id p6BH7VbB031920; Mon, 11 Jul 2011 12:07:31 -0500 (CDT) (envelope-from dan) Date: Mon, 11 Jul 2011 12:07:31 -0500 From: Dan Nelson To: Michael Sierchio Message-ID: <20110711170729.GG6611@dan.emsphone.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 8.2-STABLE User-Agent: Mutt/1.5.21 (2010-09-15) X-Virus-Scanned: clamav-milter 0.97 at email2.allantgroup.com X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.6 (email2.allantgroup.com [199.67.51.78]); Mon, 11 Jul 2011 12:07:33 -0500 (CDT) X-Scanned-By: MIMEDefang 2.68 on 199.67.51.78 Cc: freebsd-questions@freebsd.org Subject: Re: IPFW Firewall NAT inbound port-redirect X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Jul 2011 17:07:39 -0000 In the last episode (Jul 11), Michael Sierchio said: > Sorry for the naive question, but most of my old rulesets still use > natd, and I've only used built-in nat for outbound traffic. I'd like > to redirect certain ports on certain addresses to the same ports on > internal (RFC1918) addresses. The examples in the man page aren't > helpful, and the handbook still seems very natd-centric in its > examples. Thanks in advance. I use this at the top of my /etc/ipfw.conf file (re0.2 is the interface corresponding to my internet connection) : nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 22 add nat 123 ip from any to any via re0.2 , which redirects incoming port 22 connections to 10.0.0.3. If you want to redirect more ports, add more "redirect_port tcp host:port port" expressions to the end of your nat line. I believe you can run the nat config command manually with a new list (as in "ipfw nat 123 ...") to add/remove entries dynamically. I'm not at home to try it, and don't want to risk losing my remote connection if I mess up :) -- Dan Nelson dnelson@allantgroup.com