From owner-freebsd-questions@FreeBSD.ORG Thu Oct 14 18:22:49 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36BE116A4CE for ; Thu, 14 Oct 2004 18:22:49 +0000 (GMT) Received: from mail.sbfnet.com (sbfnet.com [12.18.252.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id B617C43D2D for ; Thu, 14 Oct 2004 18:22:48 +0000 (GMT) (envelope-from keving@sbfnet.com) Received: from administrator ([90.1.2.37]) by mail.sbfnet.com (SBF Mail Services) with SMTP id AAE74724; Thu, 14 Oct 2004 11:22:48 -0700 From: "Kevin Glick" To: "'Brian '" , "'FreeBSD Questions'" Date: Thu, 14 Oct 2004 11:21:47 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.6353 In-Reply-To: <200410141800.i9EI0hXL043737@emboss.bossbox.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 Thread-Index: AcSxZel4PZPkALbBRKan1neUHW8NRAAqQ74gAAIcz7AAAEgQ0A== Message-Id: <20041014182248.B617C43D2D@mx1.FreeBSD.org> Subject: RE: IPFW NATD X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Oct 2004 18:22:49 -0000 -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of Brian Sent: Thursday, October 14, 2004 11:01 AM To: 'FreeBSD Questions' Subject: IPFW NATD Hi I'm trying to setup natd to port forward to a http,ftp and vnc server behind the natd box But I only want a customer from their static ip address to be able to login and block everything else Is this possible in an natd enviroment? Any examples? Port forwarding works ok, I just can't figure out the rules to stop everyone and allow this one client Cheers Brian --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.773 / Virus Database: 520 - Release Date: 05/10/2004 _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" Brian, If you've got the portforwarding working, then a few IPFW rules will add the security you're looking for. If your divert rule is number 100, then add a few rules above it, like this: ipfw add 50 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] 80 ipfw add 51 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] 21 ipfw add 52 skipto 100 tcp from [static.ip.of.customer] to [public.ip.of.nat.box] [VNC port] ipfw add 53 deny tcp from any to [public.ip.of.nat.box] 80 ipfw add 54 deny tcp from any to [public.ip.of.nat.box] 21 ipfw add 55 deny tcp from any to [public.ip.of.nat.box] [VNC port] The first three rules pass the traffic from the specified IP, to the divert rule, to natd, and get portforwaded. Any other traffic on those ports get blocked, and doesn't get diverted. Kevin Glick ITS Manager Sterling Business Forms keving@sbfnet.com