From owner-freebsd-ipfw  Wed Mar  7 22:50:19 2001
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id B8D6C37B71B
	for <freebsd-ipfw@freebsd.org>; Wed,  7 Mar 2001 22:50:17 -0800 (PST)
	(envelope-from cjc@rfx-216-196-73-168.users.reflexcom.com)
Received: from rfx-216-196-73-168.users.reflexcom.com ([216.196.73.168]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Wed, 7 Mar 2001 22:48:16 -0800
Received: (from cjc@localhost)
	by rfx-216-196-73-168.users.reflexcom.com (8.11.1/8.11.1) id f286o1g32968;
	Wed, 7 Mar 2001 22:50:01 -0800 (PST)
	(envelope-from cjc)
Date: Wed, 7 Mar 2001 22:49:54 -0800
From: "Crist J. Clark" <cjclark@reflexnet.net>
To: Blair Sutton/Odey <B.Sutton@odey.co.uk>
Cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: masquerade firewall as external host only on one port
Message-ID: <20010307224954.L1367@cjc-desktop.users.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <OF1C20433A.CD0FEA04-ON80256A08.003E48C7@odey.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <OF1C20433A.CD0FEA04-ON80256A08.003E48C7@odey.co.uk>; from B.Sutton@odey.co.uk on Wed, Mar 07, 2001 at 11:53:33AM +0000
Sender: owner-freebsd-ipfw@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, Mar 07, 2001 at 11:53:33AM +0000, Blair Sutton/Odey wrote:
> hi,
> 
> i am trying to set up a firewall router. it has some services running on 
> it, squid, dns and ssh.
> what i would like is to get the firewall to trap all traffic originating 
> from the internal net
> 192.168.0.0/24 and travelling to external internet machines on a port say 
> 6666 and pass
> this on to natd. so natd can then translate the source address to the 
> external IP of the 
> firewall, say dc0/X.X.X.X. the internal address is say fxp0/Y.Y.Y.Y 
> (within 192.168.0.0/24)

OK. So the internal machines can only reach the outside on HTTP
through a squid proxy except for one service going to port 6666 which
will be NAT'ed. Rather limited access, but hey, it's your net.

Instead of these,

> divert natd tcp from any to any 6666
> divert natd tcp from any 6666  to any

I think your NAT rules should be,

  divert natd tcp from 192.168.0.0/24 to any 6666 out via dc0
  divert natd tcp from any 6666       to X.X.X.X  in  via dc0

As for some of these others... If you are only doing NAT on 6666, it
does not make sense to let other traffic out. You should be using 'via
<interface>' a lot more in your rules.
-- 
Crist J. Clark                           cjclark@alum.mit.edu

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message