Date: Thu, 8 Mar 2001 09:27:43 +0000 From: "Blair Sutton/Odey" <B.Sutton@odey.co.uk> To: freebsd-ipfw@FreeBSD.ORG Subject: Re: masquerade firewall as external host only on one port Message-ID: <OF00807475.8881037A-ON80256A09.00336D3F@odey.co.uk>
next in thread | raw e-mail | index | archive | help
Thankyou Crist,
I eventually got the thing working with your advice and the also noting
that the initial clause
allow tcp from any to any established
had to come after the natd statements, otherwise it would catch the return
packets from
the natd established connnection.
For future readers of this thread, make sure when you set up your ipfw
rules they occur in this order:-
divert natd tcp from ............ [ you may want to catch only ]
divert natd tcp from ............ [ specific poackets ]
allow tcp from any to any established
[ ENSURE YOUR NATD PORTS ARE ALLOWED HERE ]
[ YOUR OTHER FIREWALL RULES HERE ]
deny ip from any to any
"Crist J. Clark" <cjclark@reflexnet.net>
Sent by: owner-freebsd-ipfw@FreeBSD.ORG
08/03/2001 06:49
Please respond to cjclark
To: Blair Sutton/Odey <B.Sutton@odey.co.uk>
cc: freebsd-ipfw@FreeBSD.ORG
Subject: Re: masquerade firewall as external host only on one port
On Wed, Mar 07, 2001 at 11:53:33AM +0000, Blair Sutton/Odey wrote:
> hi,
>
> i am trying to set up a firewall router. it has some services running on
> it, squid, dns and ssh.
> what i would like is to get the firewall to trap all traffic originating
> from the internal net
> 192.168.0.0/24 and travelling to external internet machines on a port
say
> 6666 and pass
> this on to natd. so natd can then translate the source address to the
> external IP of the
> firewall, say dc0/X.X.X.X. the internal address is say fxp0/Y.Y.Y.Y
> (within 192.168.0.0/24)
OK. So the internal machines can only reach the outside on HTTP
through a squid proxy except for one service going to port 6666 which
will be NAT'ed. Rather limited access, but hey, it's your net.
Instead of these,
> divert natd tcp from any to any 6666
> divert natd tcp from any 6666 to any
I think your NAT rules should be,
divert natd tcp from 192.168.0.0/24 to any 6666 out via dc0
divert natd tcp from any 6666 to X.X.X.X in via dc0
As for some of these others... If you are only doing NAT on 6666, it
does not make sense to let other traffic out. You should be using 'via
<interface>' a lot more in your rules.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OF00807475.8881037A-ON80256A09.00336D3F>