From owner-freebsd-questions@FreeBSD.ORG Sun Aug 10 22:40:08 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 965D237B401 for ; Sun, 10 Aug 2003 22:40:08 -0700 (PDT) Received: from services.homebass.ca (216.126.94.86 [216.126.94.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A68943F93 for ; Sun, 10 Aug 2003 22:40:07 -0700 (PDT) (envelope-from liquid@homebass.ca) Received: (qmail 69389 invoked by uid 0); 11 Aug 2003 05:44:59 -0000 Received: from unknown (HELO windows) (liquid@homebass.ca@192.168.0.100) by services.homebass.ca with SMTP; 11 Aug 2003 05:44:59 -0000 From: "liquid" To: , "'Mike Maltese'" Date: Mon, 11 Aug 2003 01:40:18 -0400 Message-ID: <001101c35fcb$0c1246b0$6400a8c0@windows> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 In-Reply-To: <004901c35ddc$209379b0$0701a8c0@darryl> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal cc: freebsd-questions@freebsd.org Subject: RE: ipfilter - port forward question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2003 05:40:08 -0000 > -----Original Message----- > From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd- > questions@freebsd.org] On Behalf Of Darryl Hoar > Sent: August 8, 2003 2:38 PM > To: 'Mike Maltese' > Cc: freebsd-questions@freebsd.org > Subject: RE: ipfilter - port forward question >=20 > Well, > it does in fact use udp. Here is what I have done. >=20 > Added to /etc/ipfilter.rules >=20 > pass in quick on ep0 proto tcp from any to any port =3D 31240 keep = state you *did* infact mean to say "pass in quick on ep0 proto udp from (etc) >=20 > Added to /etc/ipnat.rules >=20 > rdr ep0 0/0 port 31240 -> 192.168.1.35 port 31240 udp This appears to be OK. > =20 >=20 > first question. > I can reload the ipfilter rules with the > ipf -Fa -f /etc/ipfilter.rules you certainly can >=20 > how do I reload the ipnat rules ? >=20 > I tried ipnat -F then > ipnat -f /etc/ipnat.rules. Try ipnat -Cf -f /etc/ipnat.rules >=20 > But when I did a ipnat -l it showed that it > just added the new rdr (so I had two listed). >=20 > I rebooted. >=20 > External users still couldn't connect. So, I create a new > ipfilter.rules file with: > pass in quick on ep0 all keep state > pass out quick on ep0 all keep state. >=20 > reloaded the filewall rules. Users tried to connect but couldn't. > I looked at the nat table I saw: >=20 > map 192.168.1.35 1256 <- -> 24.225.33.88 1256 [24.225.17.163 5101] > rdr 192.168.1.35 31240 <- -> 24.225.33.88 31240 [24.225.17.163 1131] > >=20 >=20 > I feel I'm close. What am I missing/screwing up ? >=20 > thanks, > Darryl > Freebsd 4.7S OK, you must be close. I'm not entirely sure why that wouldn't be working using the firewall rules you mentioned after rebooting. I've never forwarded anything other than tcp though for basic stuff like www, smtp etc... so I'm unsure if ipnat is picky about udp traffic. I know that on my ipnat.rules I have this line, unclear though if this would make a difference: map dc0 192.168.0.0/24 -> xx.xx.xx.xx/32 portmap tcp/udp 30000:50000 I strongly suggest you look at this site... I like to think I'm quite good with ipf/ipnat, and it's solely because of the knowledge of it I got out of the whitepaper located there. www.obfuscation.org/ipf HTH, Sandro