From owner-freebsd-questions Mon Mar 20 0:45: 5 2000 Delivered-To: freebsd-questions@freebsd.org Received: from kearneys.ca (cr1003527-a.rct1.bc.wave.home.com [24.113.36.145]) by hub.freebsd.org (Postfix) with SMTP id DF51D37B600 for ; Mon, 20 Mar 2000 00:44:59 -0800 (PST) (envelope-from brent@kearneys.ca) Received: (qmail 60789 invoked by uid 1000); 20 Mar 2000 08:44:40 -0000 Date: Mon, 20 Mar 2000 00:44:40 -0800 From: Brent Kearney To: Gavin Cameron Cc: FreeBSD Questions Subject: Re: IPFW question Message-ID: <20000320004440.A60597@kearneys.ca> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="y0ulUmNC+osPPQO6" X-Mailer: Mutt 1.0i In-Reply-To: ; from gavin@itworks.com.au on Sun, Mar 19, 2000 at 09:03:40PM +1100 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG --y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable On Sun, Mar 19, 2000 at 09:03:40PM +1100, Gavin Cameron wrote: > Hi all, >=20 > I have the following turned in my kernel on under 4.0-RELEASE >=20 > options IPFIREWALL #firewall > options IPFIREWALL_VERBOSE #print information about > # dropped packets > options IPFIREWALL_FORWARD #enable transparent proxy support > options IPFIREWALL_VERBOSE_LIMIT=3D100 #limit verbosity > options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by > default > options IPDIVERT #divert sockets > options IPSTEALTH #support for stealth forwarding >=20 > And if I do the following >=20 > ipfw add 100 divert 23 log tcp from mach1 to mach2 80 >=20 > Then I think that if I telnet from mach1 to mach2 on port 80 then I expect > to see a telnet session start up. >=20 In your /etc/rc.conf, put: natd_interface=3D"ed0" # Assuming ed0 is your outside interface natd_enable=3D"YES" natd_flags=3D"-n ed0 -log_denied -f /etc/natd.conf" firewall_enable=3D"YES" firewall_type=3D"open" # See rc.firewall for the meaning of 'open' firewall_quiet=3D"YES" In your /etc/natd.conf, put: redirect_port tcp mach2:telnet mach1:http redirect_port udp mach2:telnet mach1:http In the above, you can substitute `23' for the word `telnet', and `80' for the word `http' if you like. But the words work fine as long as you have a normal /etc/services. If you are running natd, and a restrictive firewall, then you will also need ipfw adjustments: # Allow connections to port 80 for telnet access to mach2=20 # (here assuming mach2 is 192.168.2.2) $fwcmd add pass tcp from any to ${oip} http setup $fwcmd add pass tcp from any to 192.168.2.2 telnet setup Though I assumed firewall type 'open' in my example rc.conf lines above, and I notice you have default to allow in your kernel, so=20 its probably the case that you do NOT have a restrictive firewall,=20 and thus do not require the abovementioned firewall rules. > Am I right in the way that I read the divert line? >=20 By default (in 3.4, at least) the divert line in rc.firewall will divert all incoming packets to natd before anything else: ############ # These rules are required for using natd. All packets are passed to # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, # minus any divert rules (see natd(8)). if [ "X${natd_enable}" =3D X"YES" -a "X${natd_interface}" !=3D X"" ]; then $fwcmd add divert natd all from any to any via ${natd_interface} fi Good luck! -Brent --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: mzH7/i/Yfc364DIc0oRuV3W8AUyoCxaq iQA/AwUBONXk9/5LgQMksPsjEQKjfgCg7HgOTaLpquSdg93mlREnxGPSrz8Amwfm 7y0idQ8+uARBxtNggBKu2DcC =0vD5 -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message