Date: Sat, 15 Jan 2000 20:49:22 -0500 (EST) From: "Crist J. Clark" <cjc@cc942873-a.ewndsr1.nj.home.com> To: jeff@nerdpower.com (Jeff Lush) Cc: freebsd-questions@FreeBSD.ORG Subject: Re: natd and ipfw redirection Message-ID: <200001160149.UAA53586@cc942873-a.ewndsr1.nj.home.com> In-Reply-To: <00011413030805.01757@smithers.nerdpower.org> from Jeff Lush at "Jan 14, 2000 12:19:39 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Jeff Lush wrote,
> Hello,
>
> I am using FreeBSD to setup a firewall with nat. Essentially, what I would like
> to do is have nat translate from private to public IPs, use ipfw for
> firewall rules and allow for IP redirection into the LAN for some services such
> as SMTP.
>
> So far, I have nat working and have firewall rules setup accordingly to block
> unwanted incoming traffic. Where my difficulties arise are with (I believe)
> ipfw. Here's my setup:
>
> In the rc.conf, I have setup an IP bound to de0 and an alias IP for SMTP
> traffic:
> ifconfig_de0="inet 139.142.250.29 netmask 255.255.255.192"
> ifconfig_de0_alias0="inet 139.142.250.39 netmask 255.255.255.255"
> ifconfig_de1="inet 192.168.1.1 netmask 255.255.255.0"
Not sure why you need an extra IP number for the SMTP traffic, but
OK.
> In the rc.firewall I have these rules relating to redirection:
> add 100 ipfw add divert natd all from any to any via de0 # Pass everything to
> natd
>
> Further down the ruleset I then have:
> ipfw add 7000 allow tcp from any to any 25 in via 139.142.250.39 setup # Allow
> tcp traffic in on port 25 from 139.142.250.39
That's an odd rule. You do realize that it passes _all_ SMTP traffic
that comes in from the outside world, right?
> I then start natd with:
> natd -redirect_port tcp 192.168.1.2:25 139.142.250.39:25
I hope you really mean,
# natd -n de0 -u -redirect_port tcp 192.168.1.2:25 139.142.250.39:25
> In my opinion, this appears to be correct, but obviously it is not. I feel the
> problem is in the firewall rules. I compiled the kernel with 'option
> IPFIREWALL_FORWARD', but I'm not sure how it will work with nat. The rule I
> have in mind is:
> ipfw add 200 fwd 192.168.1.2 all from de0 to de1
That is not what you want to do.
> My thinking is this is what natd is supposed to do.
>
> I know something is missing, I just don't know what. Any help that can be
> offered would be very much appreciated. I can include more from my conf files
> if necessary.
I'd offer more help, but you never actually told us what was or was
not working.
--
Crist J. Clark cjclark@home.com
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001160149.UAA53586>