From owner-freebsd-ipfw@FreeBSD.ORG Mon Jul 19 05:27:06 2010 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8F4F1065675 for ; Mon, 19 Jul 2010 05:27:06 +0000 (UTC) (envelope-from mr.xanto@gmail.com) Received: from mail-ew0-f54.google.com (mail-ew0-f54.google.com [209.85.215.54]) by mx1.freebsd.org (Postfix) with ESMTP id 385A88FC08 for ; Mon, 19 Jul 2010 05:27:05 +0000 (UTC) Received: by ewy26 with SMTP id 26so1369634ewy.13 for ; Sun, 18 Jul 2010 22:27:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:date:from:x-mailer:x-priority :message-id:to:subject:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=Xdy2IxZ0Eh6jYvtMjwtwhvfdKgvW/850o2sLP5HbPzI=; b=O2G3CFjlvSAgRJbiTUgKm+M/YHSvkALX7vFh+VqcDoKQ5/BCN9PRo7lLZyBbP1Xrr2 s7yctleKKo3XVMKTCr7lgxVB+dUrfuOlOtPEhRvD0yUPokVwTMgBLYwrby7MqFv+5QfL 1kLuuzPcOvuujMtFBZqZgmWT1q6ZWve/L7/JI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=date:from:x-mailer:x-priority:message-id:to:subject:in-reply-to :references:mime-version:content-type:content-transfer-encoding; b=wKCRFS8eTyBQXg15g4kJ3h31rsY0UssbI4P04tNmwgEstAExv/IKbheZta9JpXe12F alqbpPdQE0nzxaV9X2syNtHkHLbALfEec8+qoBZJpl6jLOKbwu6UJN0tNbWRErOVkpKS 6IX9nS0klEI5UB5VuSFg+ixvmqSfeg1KNPnXo= Received: by 10.213.108.73 with SMTP id e9mr2432895ebp.36.1279517224964; Sun, 18 Jul 2010 22:27:04 -0700 (PDT) Received: from RMAMONTOV ([91.202.20.14]) by mx.google.com with ESMTPS id x54sm44225303eeh.17.2010.07.18.22.27.03 (version=SSLv3 cipher=OTHER); Sun, 18 Jul 2010 22:27:04 -0700 (PDT) Date: Mon, 19 Jul 2010 09:26:44 +0400 From: Mamontov Roman X-Mailer: Voyager (v3.99.8) Professional X-Priority: 3 (Normal) Message-ID: <893037983.20100719092644@gmail.com> To: freebsd-ipfw@freebsd.org In-Reply-To: <20100715183743.S86988@sola.nimnet.asn.au> References: <1931583025.20100715114512@gmail.com> <20100715183743.S86988@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Problem with ipfw nat and packet to local services X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jul 2010 05:27:06 -0000 Hello, Ian. > UDP port 33564 on this box (xxx.xxx.xxx.xxx) is not redirected to any > other address:port, and you have specified deny_in (-deny_incoming in > natd-speak) so, well, you got what you asked for .. > See the description under -deny_incoming and the explanation of what > happens to incoming packets under -alias_address in natd(8) .. the nat > description in ipfw(8) is still a bit thin, so natd(8) is still useful. > Without deny_in, new inbound packets should be passed to the local > machine - so you will then need firewall rules to restrict which local > ports are to be accessible for connections from the outside. > cheers, Ian I remove option deny_in from nat configuration. But inbound packets not passed to the local services. #ipfw nat show config ipfw nat 1 config ip xxx.xxx.xxx.xxx #ipfw show 00035 59 4703 nat 1 log ip from any to any via ext_if1 65000 510 44734 allow ip from any to any 65535 58083 11212917 deny ip from any to any -- Best regards, Mamontov Roman mailto:mr.xanto@gmail.com