Date: Wed, 7 Mar 2001 11:53:33 +0000 From: "Blair Sutton/Odey" <B.Sutton@odey.co.uk> To: freebsd-ipfw@freebsd.org Subject: masquerade firewall as external host only on one port Message-ID: <OF1C20433A.CD0FEA04-ON80256A08.003E48C7@odey.co.uk>
next in thread | raw e-mail | index | archive | help
hi,
i am trying to set up a firewall router. it has some services running on
it, squid, dns and ssh.
what i would like is to get the firewall to trap all traffic originating
from the internal net
192.168.0.0/24 and travelling to external internet machines on a port say
6666 and pass
this on to natd. so natd can then translate the source address to the
external IP of the
firewall, say dc0/X.X.X.X. the internal address is say fxp0/Y.Y.Y.Y
(within 192.168.0.0/24)
visually:-
| internet |
|
v
| firewall -dc0/ X.X.X.X |
(squid/3128)
(dns/53)
(ssh/22)
| firewall fxp0/Y.Y.Y.Y |
|
v
| 192.168.0.0/24 |
the reason is because we have an application on our internal network
which does not allow proxy
connections so it will attempt to connect to an external host on the
internet on port 6666. i would like
the firewall to masquerade on this port internally.
what follows is my current setup which is probably too obscured to be of
any help in a diagnosis but may
show what i am attempting to do. if anyone has achieved this or something
similar let me know.
thank you in advance.
ps: my kernel has all required firewall and divert options, and i have
read the natd manual.
my current ipfw list looks like this:-
allow ip from any to any via lo0
deny ip from any to 127.0.0.0/8
allow tcp from any to any established
divert natd tcp from any to any 6666
divert natd tcp from any 6666 to any
allow tcp from any to X.X.X.X 6666 setup
allow tcp from any to Y.Y.Y.Y 22 setup
allow tcp from any to X.X.X.X 22 setup
allow udp from any 53 to Y.Y.Y.Y
allow udp from any 53 to X.X.X.X
allow udp from Y.Y.Y.Y to any 53
allow udp from X.X.X.X to any 53
allow tcp from any to Y.Y.Y.Y 53 setup
allow udp from any to Y.Y.Y.Y 53
allow udp from Y.Y.Y.Y 53 to any
allow udp from Y.Y.Y.Y to any
allow udp from X.X.X.X to any
allow tcp from Y.Y.Y.Y to any setup
allow tcp from X.X.X.X to any setup
allow tcp from any to Y.Y.Y.Y 3128 setup
deny log logamount 10 tcp from any to any in recv fxp0 setup
deny ip from any to any
my current natd.cf looks like this:-
log no
deny_incoming no
use_sockets no
same_ports yes
verbose yes
port natd
interface dc0
redirect_port tcp external_host:6666 6666
redirect_port udp external_host:6666 6666
Odey Asset Management Ltd.
12 Upper Grosvenor St, London W1K 2ND.
Tel: +44 (0) 20 7208 1400, Fax +44 (0) 20 7208 1401.
Regulated by IMRO. Registered in England N0. 2651507.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OF1C20433A.CD0FEA04-ON80256A08.003E48C7>