Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 16 Jul 1998 12:44:42 -0700 (PDT)
From:      Doug White <dwhite@resnet.uoregon.edu>
To:        Thomas David Rivers <rivers@dignus.com>
Cc:        freebsd-questions@freefall.cdrom.com, rivers@lakes.dignus.com
Subject:   Re: ipfw rules for exposing an internal machine's port externally?
Message-ID:  <Pine.BSF.4.00.9807161241410.17022-100000@resnet.uoregon.edu>
In-Reply-To: <199807160217.WAA23663@lakes.dignus.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 15 Jul 1998, Thomas David Rivers wrote:

> 
> I thought I should be able to do this; but it doesn't
> seem to work well.  Perhaps someone knows what I've got wrong here.
> 
> What I have is a machine "X" which is on the external network
> and through which I divert all internal traffic on the 10.0.0.x
> network via ipfw/natd, as in:
> 
>   ipfw add 100 divert 32000 ip from any to any via sl0
> 
> 
> However, I have an internal machine (10.0.0.10) that's set up
> to do telnet connections on a different port (e.g. port #PPPP in 
> the following example.)
> 
> I would like to make those connections available externally.
> 
> So - I've got added:
> 
>    ipfw add 50 pass log tcp from any PPPP to 10.0.0.10 PPPP
>    ipfw add 50 pass log udp from any PPPP to 10.0.0.10 PPPP\

You can't do this since natd already munged the packets. For all intents
and purposes natd is a complete firewall.  

What you want to do is use natd's redirect_port feature to map the port(s)
you want from the 10.0.0.10 host onto port(s) on the natd host.  See the
natd man page for details.

Besides, you just overwote the first rule 50, for tcp, with the
replacement rule 50, for udp.  The rule numbers must be unique unless
you're replacing the rule.

Doug White                              | University of Oregon  
Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
http://gladstone.uoregon.edu/~dwhite    | Computer Science Major


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.00.9807161241410.17022-100000>