From owner-freebsd-stable Wed Dec 8 0:33: 7 1999 Delivered-To: freebsd-stable@freebsd.org Received: from io.freibergnet.de (io.freibergnet.de [194.123.255.3]) by hub.freebsd.org (Postfix) with ESMTP id 9C3ED154C5 for ; Wed, 8 Dec 1999 00:32:56 -0800 (PST) (envelope-from mw@io.freibergnet.de) Received: (from mw@localhost) by io.freibergnet.de (8.9.3/8.9.1) id JAA21313; Wed, 8 Dec 1999 09:32:43 +0100 (CET) (envelope-from mw) Message-ID: X-Mailer: XFMail 1.3.1 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <384DE84E.8285191E@nisser.com> Date: Wed, 08 Dec 1999 09:32:43 +0100 (CET) Reply-To: mw@freibergnet.de Organization: FreibergNet Systemhaus / Liebscher & Partner From: Martin Welk To: Roelof Osinga Subject: RE: ifpw forwarding problem Cc: FreeBSD Stable Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dear Roelof, on 08-Dec-99 Roelof Osinga wrote: () natd is running with -same_ports -use_sockets on ep1 This seems to be right. () The command I'm issuing is: () () ipfw add 2000 fwd 10.0.0.3,80 tcp from any to 10.0.0.55 8080 in via ep0 () () Though accepted it will not redirect. The 10.0.0.3:80 does answer () when queried directly: () () nisser:/root/bin$ telnet 10.0.0.55 8080 () Trying 10.0.0.55... () telnet: Unable to connect to remote host: Connection refused () () nisser:~# ipfw list () 00100 divert 8668 ip from any to any via ep1 () 00100 allow ip from any to any via lo0 () 00200 deny ip from any to 127.0.0.0/8 () 01000 deny tcp from any to any 23,143,110,79,111 in recv ep1 () 01000 deny tcp from any to any 5800,5801,5802,5900,5901,5902 in recv ep1 () 02000 fwd 10.0.0.3,80 tcp from any to 10.0.0.55 8080 in recv ep0 () 65000 allow ip from any to any () 65535 deny ip from any to any Your problem is, that forwarding packets by rules to other hosts is not the same as forwarding packets to hosts through a NAT environment. Look at the natd man page, search for the redirect options mentioned there. In my case, there's a FreeBSD machine doing NAT here. It has two IP addresses on the outer world interface, but this shouldn't be a significant difference. I have a file named natd.conf that's loaded on startup doing a "natd -f natd.conf" - you may put it somewhere in the file system where you like it and use the absolute path, I've chosen /etc. use_sockets same_ports port 8668 deny_incoming no alias_address aaa.aaa.aaa.aaa redirect_port tcp bbb.bbb.bbb.bbb:5900 aaa.aaa.aaa.aaa:5900 In this case, the port 5900 (which is by default used for a first VNC session) is redirected to an interal Windows box that can be accessed this way. aaa.aaa.aaa.aaa is the external network address of the router, bbb.bbb.bbb.bbb the internal host (192.168...) You need to do that this way in a NAT'ed environment because someone has to change the IP addresses as they are needed to make it work properly. For the ipfw setup, a directive like divert 8668 all from any to any allow ip from any to any will do the job, allthough all packets pass natd this way. But if it works in this case, you have now a good starting point to do more :-) No RTFM intended, but I found the following man pages very helpful when I started with ipfw/natd and so on: divert(4), dummynet(4), ipfw(8), ipfirewall(4). Although dummynet has to do with bandwidth limiting and delaying (this is integrated into the IPFW functionality), it gives some further information that helps to understand how packets pass through the firewall. Regards, Martin -- FreibergNet Systemhaus GbR Martin Welk * Sales, Support Systemhaus für Daten- und Netzwerktechnik phone +49 3731 781387 Unternehmensgruppe Liebscher & Partner fax +49 3731 781377 D-09599 Freiberg * Am St. Niclas Schacht 13 http://www.freibergnet.de/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message