From owner-freebsd-questions Fri Jan 14 12: 5:14 2000 Delivered-To: freebsd-questions@freebsd.org Received: from biff.nerdpower.net (biff.nerdpower.net [24.108.37.222]) by hub.freebsd.org (Postfix) with SMTP id F160B1501D for ; Fri, 14 Jan 2000 12:05:09 -0800 (PST) (envelope-from jeff@nerdpower.com) Received: (qmail 429 invoked by alias); 14 Jan 2000 20:05:08 -0000 Received: from c13574-010.nerdpower.net (HELO smithers.nerdpower.org) (24.108.80.209) by biff.nerdpower.net with SMTP; 14 Jan 2000 20:05:08 -0000 From: Jeff Lush Organization: NerdPower.com To: freebsd-questions@freebsd.org Subject: natd and ipfw redirection Date: Fri, 14 Jan 2000 12:19:39 -0700 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <00011413030805.01757@smithers.nerdpower.org> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hello, I am using FreeBSD to setup a firewall with nat. Essentially, what I would like to do is have nat translate from private to public IPs, use ipfw for firewall rules and allow for IP redirection into the LAN for some services such as SMTP. So far, I have nat working and have firewall rules setup accordingly to block unwanted incoming traffic. Where my difficulties arise are with (I believe) ipfw. Here's my setup: In the rc.conf, I have setup an IP bound to de0 and an alias IP for SMTP traffic: ifconfig_de0="inet 139.142.250.29 netmask 255.255.255.192" ifconfig_de0_alias0="inet 139.142.250.39 netmask 255.255.255.255" ifconfig_de1="inet 192.168.1.1 netmask 255.255.255.0" In the rc.firewall I have these rules relating to redirection: add 100 ipfw add divert natd all from any to any via de0 # Pass everything to natd Further down the ruleset I then have: ipfw add 7000 allow tcp from any to any 25 in via 139.142.250.39 setup # Allow tcp traffic in on port 25 from 139.142.250.39 I then start natd with: natd -redirect_port tcp 192.168.1.2:25 139.142.250.39:25 In my opinion, this appears to be correct, but obviously it is not. I feel the problem is in the firewall rules. I compiled the kernel with 'option IPFIREWALL_FORWARD', but I'm not sure how it will work with nat. The rule I have in mind is: ipfw add 200 fwd 192.168.1.2 all from de0 to de1 My thinking is this is what natd is supposed to do. I know something is missing, I just don't know what. Any help that can be offered would be very much appreciated. I can include more from my conf files if necessary. Thanks for the help. Jeff Lush To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message