From owner-freebsd-questions@FreeBSD.ORG  Fri Feb 27 09:47:53 2004
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6996316A4CE
	for <freebsd-questions@freebsd.org>;
	Fri, 27 Feb 2004 09:47:53 -0800 (PST)
Received: from clanbuckbuck.org (c-24-17-98-189.client.comcast.net
	[24.17.98.189])	by mx1.FreeBSD.org (Postfix) with SMTP id 2D9CB43D31
	for <freebsd-questions@freebsd.org>;
	Fri, 27 Feb 2004 09:47:53 -0800 (PST)
	(envelope-from ryallsd@datasphereweb.com)
Received: (qmail 99302 invoked from network); 27 Feb 2004 17:47:52 -0000
Received: from unknown (HELO RYALLS1) (131.107.3.85)
  by c-24-17-98-189.client.comcast.net with SMTP; 27 Feb 2004 17:47:52 -0000
From: "Derrick Ryalls" <ryallsd@datasphereweb.com>
To: "'freebsd-questions'" <freebsd-questions@freebsd.org>
Date: Fri, 27 Feb 2004 09:47:50 -0800
Message-ID: <A99A5AC30F74624388EE5F757BA58A20D7A22B@RED-MSG-50.redmond.corp.microsoft.com>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook, Build 10.0.4510
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Importance: Normal
Subject: Firewall blocking natd redirect
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Feb 2004 17:47:53 -0000

I have a port redirect, public port 5001 to an internal machine port 3389,
for Remote Desktop that works well in natd as long as I don't fire up my
custom firewall:

00050    234    27286 divert 8668 ip from any to any via sis0
00100     24     6080 allow ip from any to any via lo0
00200      0        0 deny ip from any to 127.0.0.0/8
00300      0        0 deny ip from 127.0.0.0/8 to any
00400      0        0 check-state
00500      2      186 allow ip from 192.168.1.1 to 192.168.1.0/24
00600      4      266 allow ip from 192.168.1.0/24 to 192.168.1.1
00700     34     3399 allow ip from any to any keep-state in recv dc0
00800     18     2093 allow ip from any to any keep-state out xmit sis0
00900      0        0 allow ip from any to any keep-state out xmit dc0
01000      0        0 allow ip from any to 0.0.0.255:0.0.0.255 in recv dc0
01100      0        0 allow ip from 192.168.1.1 to any keep-state
01200      0        0 allow udp from any to any 53 keep-state
01300      0        0 allow tcp from any to any 53 keep-state
01400      0        0 allow udp from any to any 25 keep-state
01500      0        0 allow tcp from any to any 25 keep-state
01600      0        0 allow tcp from any to any 993 keep-state
01700    188    18936 allow tcp from any to any 22 keep-state
01800      0        0 allow tcp from any to any 80 keep-state
01900      0        0 allow tcp from any to any 5001 keep-state
65535 173082 56255563 deny ip from any to any


sis0 is the public interface and dc0 is the internal.

Right now I don't might so much having reduntant rules, but I would like my
functionality back without doing an allow from any to any.  Any ideas on
what I am missing?