From owner-freebsd-questions Sun May 7 15:47:35 2000 Delivered-To: freebsd-questions@freebsd.org Received: from syrenna.deep-ocean.net (ca-ol-bordeaux-7-4.abo.wanadoo.fr [62.161.110.4]) by hub.freebsd.org (Postfix) with ESMTP id 0CF7637B685 for ; Sun, 7 May 2000 15:47:21 -0700 (PDT) (envelope-from olive@deep-ocean.net) Received: from pozeidon (pozeidon.deep-ocean.net [192.168.0.12]) by syrenna.deep-ocean.net (8.9.3/8.9.3) with SMTP id AAA28376; Mon, 8 May 2000 00:44:48 +0200 (CEST) (envelope-from olive@deep-ocean.net) From: "Olivier Cortes" To: "Allen Lu" , "FreeBSD Questions" Subject: RE: ipfirewall (ipfw) Date: Mon, 8 May 2000 00:46:03 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2776.0) In-Reply-To: <20000507164028.23294.qmail@web2102.mail.yahoo.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I cannot explicitely help you because i didn't use redirect_address. But : for specific services (HTTP, FTP, SMTP, SSH, ant POP), i use the feature redirect_port tcp :port port, e.g. "redirect_port 192.168.0.2:25 25". it works like this : everything coming on the port 25 of the firewall on the natd interface is redirected to 192.168.0.2:25. knowing that all other services are disabled (security) and all other ports are closed, it's a good maner to do things. of course, i'm open to anything anyone finds better. Olivier > -----Message d'origine----- > De : owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]De la part de Allen Lu > Envoyé : dimanche 7 mai 2000 18:40 > À : Chris Phillips > Cc : questions@freebsd.org > Objet : Re: ipfirewall (ipfw) > > > Hi I made the modifications as suggested however I > still do not get 216.218.224.107 forwarded to > 192.168.1.10. It goes directly to the firewall. Here > is my current config: > > rogue# cat /etc/natd.conf > redirect_address 192.168.1.10 216.218.224.107 > rogue# cat /etc/rc.conf > # This file now contains just the overrides from > /etc/defaults/rc.conf > # please make all changes to this file. > > # -- sysinstall generated deltas -- # > gateway_enable="YES" > network_interfaces="rl0 rl1 lo0" > ifconfig_rl0="inet 216.218.224.106 netmask > 255.255.255.248 broadcast 216.218.224.112" > ifconfig_rl0_alias0="inet 216.218.224.107 netmask > 255.255.255.255 broadcast 216.218.224.112" > ifconfig_rl1="inet 192.168.1.1 netmask 255.255.255.0" > ifconfig_lo0="inet 127.0.0.1" > defaultrouter="216.218.224.105" > hostname="rogue.alltopix.com" > firewall_enable="YES" > firewall_type="open" > firewall_quiet="NO" > natd_enabled="YES" > natd_interface="rl0" > natd_flags="-u -m -f /etc/natd.conf" > sendmail_enable="NO" > gateway_enable="YES" > router_enable="NO" > static_routes="" > router="routed" > mrouted_enable="NO" > mrouted_flags="" > ipxgateway_enable="NO" > tcp_extensions="NO" > ipxrouted_enable="NO" > ipxrouted_flags="" > arpproxy_all="" > forward_sourceroute="NO" > accept_sourceroute="NO" > > Thank you for your help. > > Allen > > --- Chris Phillips wrote: > > Hi Allen, > > > > Throw this line in your kernel as well. > > > > options IPFIREWALL_FORWARD #enable > > transparent proxy support > > > > Also, change your rc.conf alias line to.. > > > > ifconfig_rl0_alias0="inet 216.218.224.107 netmask > > 255.255.255.255 > > broadcast 216.218.224" > > > > The netmask needs to be 255.255.255.255 or you will > > not be able to route > > packets between IPs as the machine is looking for > > something that is > > physically on the net and not just an alias. Packet > > forwarding needs to > > be on to allow static routing. > > > > -Chris Phillips > > > > On Sun, 7 May 2000, Allen Lu wrote: > > > > > Hi I have a question that I've been trying to find > > an > > > answer in the docs for a while but can't seem to > > get a > > > finger on what the problem could be. > > > > > > I'm using the latest standard release FreeBSD-4.0. > > > These are my kernel changes under MYKERNEL to turn > > on > > > firewall and static natd on two interfaces: rl0, > > rl1. > > > Followed by my rc.conf. > > > > > > The problem is packets are not getting forwarded > > by > > > the redirect_address statement in my > > /etc/natd.conf > > > file. My goal is to setup a static natd by > > translating > > > a real internet IP to the public interface (rl0) > > and > > > redirect it after filtering to the private LAN via > > > 192.168.1.1 to 192.168.1.10. When I telnet to > > > 216.218.224.107, it goes to the firewall, not the > > > destined client I want. I also cannot ping > > > 216.218.224.107 on the firewall itself. 224.107 is > > > aliased to 224.106, which is the original ip > > address > > > of the public card. > > > > > > KERNEL: > > > options IPFIREWALL > > > options IPFIREWALL_VERBOSE > > > options IPDIVERT > > > > > > rc.conf: > > > # -- sysinstall generated deltas -- # > > > gateway_enable="YES" > > > network_interfaces="rl0 rl1 lo0" > > > ifconfig_rl0="inet 216.218.224.106 netmask > > > 255.255.255.248 broadcast 216.218.224 > > > .111" > > > ifconfig rl0 alias 216.218.224.107 netmask > > > 255.255.255.248 > > > ifconfig_rl1="inet 192.168.1.1 netmask > > 255.255.255.0" > > > ifconfig_lo0="inet 127.0.0.1" > > > defaultrouter="216.218.224.105" > > > hostname="rogue.alltopix.com" > > > firewall_enable="YES" > > > firewall_type="open" > > > firewall_quiet="NO" > > > natd_enabled="YES" > > > natd_interface="rl0" > > > natd_flags="-u -m -f /etc/natd.conf" > > > sendmail_enable="NO" > > > gateway_enable="YES" > > > router_enable="NO" > > > static_routes="" > > > router="routed" > > > mrouted_enable="NO" > > > mrouted_flags="" > > > ipxgateway_enable="NO" > > > tcp_extensions="NO" > > > ipxrouted_enable="NO" > > > ipxrouted_flags="" > > > arpproxy_all="" > > > forward_sourceroute="NO" > > > accept_sourceroute="NO" > > > > > > /etc/natd.conf: > > > redirect_address 192.168.1.10 216.218.224.107 > > > > > > Any suggestions to why it doesn't work? > > > > > > Allen > > > > > > > > > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Send instant messages & get email alerts with > > Yahoo! Messenger. > > > http://im.yahoo.com/ > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-questions" in the body > > of the message > > > > > > > __________________________________________________ > Do You Yahoo!? > Send instant messages & get email alerts with Yahoo! Messenger. > http://im.yahoo.com/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message