From owner-freebsd-questions Wed Jul 18 17: 1:56 2001 Delivered-To: freebsd-questions@freebsd.org Received: from jezebel.demon.co.uk (jezebel.demon.co.uk [158.152.38.143]) by hub.freebsd.org (Postfix) with ESMTP id CD66037B403 for ; Wed, 18 Jul 2001 17:01:51 -0700 (PDT) (envelope-from rdls@jezebel.demon.co.uk) Received: (from rdls@localhost) by jezebel.demon.co.uk (8.11.1/8.11.1) id f6INwoC02271; Thu, 19 Jul 2001 00:58:50 +0100 (BST) (envelope-from rdls) Date: Thu, 19 Jul 2001 00:58:49 +0100 From: Richard Smith To: Thomas David Rivers Cc: freebsd-questions@freebsd.org Subject: Re: ipfw & fwd? (and natd?) Message-ID: <20010719005849.A1937@gaia.home.rdls.net> References: <200107171200.f6HC0cB40770@lakes.dignus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200107171200.f6HC0cB40770@lakes.dignus.com>; from rivers@dignus.com on Tue, Jul 17, 2001 at 08:00:38AM -0400 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, Jul 17, 2001 at 08:00:38AM -0400, Thomas David Rivers wrote: > > I've been trying to redirect a certain port number to a telnet > port on another network... > > It's been pointed out that natd won't do that for me; because > of the "other" network issue (although, perhaps it should, hard > to say.) When the `other network' is an external network perhaps, but your redirecting to an internal network within your 10/8 address space. > Here's the set up: > > xl0 is the "outside" interface. > x1l is the "inside" interface (10.0.0.x) network > tun0 is the VPN interface to the other (10.1.0.x) network. > > I'd like to redirect incoming tcp/up connections on port 5000 via xl0 > to a telnet connection on a machine in the 10.1.0.x network. I just did a similar thing: using an ssh/ppp constructed vpn, and adding "-redirect_port tcp 10.1.0.x:23 5000" to natd_flags. The only thing that threw me at first was that the other end of the tunnel needs to set their default route pointing back into the tunnel. > So - some of us were thinking that perhaps natd, in combination > with ipfw fwd would work... making a "phantom" IP address on the > 10.0.0.x network. Then, natd can redirect to the "phantom" IP > address, which will be forwarded to the remote one. > > To get specific, the remote machine is 10.1.0.11; the "phantom" IP > address is 10.0.0.11. > > At this point, I'm just trying to get ipfw fwd to work... so, that > ping/telnet/etc.. to 10.0.0.11 are forwarded to 10.1.0.11. > > Here's my ipfw rules: > > 00050 divert 8668 ip from any to any via xl0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 06400 fwd 10.1.0.11 ip from any to 10.0.0.11 > 06401 fwd 10.1.0.11 ip from 10.0.0.11 to any > 65000 allow ip from any to any > 65535 allow ip from any to any This is clearly wrong, you're asking ipfw to send both forward and return packets to the same address. I don't think `ipfw fwd' re-writes the packet so its not much use to you here. I'd stick with natd, it does work. Rich. -- Richard Smith Network Systems Director Satamatics Ltd Green Lane, Tewkesbury, GL20 8HD, United Kingdom Tel: +44 1684 278610 Fax: +44 1684 278611 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message