Date: Mon, 20 Mar 2000 00:44:40 -0800 From: Brent Kearney <brent@kearneys.ca> To: Gavin Cameron <gavin@itworks.com.au> Cc: FreeBSD Questions <freebsd-questions@FreeBSD.org> Subject: Re: IPFW question Message-ID: <20000320004440.A60597@kearneys.ca> In-Reply-To: <Pine.BSF.4.21.0003192056280.11948-100000@maybe.itworks.com.au>; from gavin@itworks.com.au on Sun, Mar 19, 2000 at 09:03:40PM %2B1100 References: <Pine.BSF.4.21.0003192056280.11948-100000@maybe.itworks.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
--y0ulUmNC+osPPQO6
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
On Sun, Mar 19, 2000 at 09:03:40PM +1100, Gavin Cameron wrote:
> Hi all,
>=20
> I have the following turned in my kernel on under 4.0-RELEASE
>=20
> options IPFIREWALL #firewall
> options IPFIREWALL_VERBOSE #print information about
> # dropped packets
> options IPFIREWALL_FORWARD #enable transparent proxy support
> options IPFIREWALL_VERBOSE_LIMIT=3D100 #limit verbosity
> options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by
> default
> options IPDIVERT #divert sockets
> options IPSTEALTH #support for stealth forwarding
>=20
> And if I do the following
>=20
> ipfw add 100 divert 23 log tcp from mach1 to mach2 80
>=20
> Then I think that if I telnet from mach1 to mach2 on port 80 then I expect
> to see a telnet session start up.
>=20
In your /etc/rc.conf, put:
natd_interface=3D"ed0" # Assuming ed0 is your outside interface
natd_enable=3D"YES"
natd_flags=3D"-n ed0 -log_denied -f /etc/natd.conf"
firewall_enable=3D"YES"
firewall_type=3D"open" # See rc.firewall for the meaning of 'open'
firewall_quiet=3D"YES"
In your /etc/natd.conf, put:
redirect_port tcp mach2:telnet mach1:http
redirect_port udp mach2:telnet mach1:http
In the above, you can substitute `23' for the word `telnet', and `80'
for the word `http' if you like. But the words work fine as long as
you have a normal /etc/services. If you are running natd, and a
restrictive firewall, then you will also need ipfw adjustments:
# Allow connections to port 80 for telnet access to mach2=20
# (here assuming mach2 is 192.168.2.2)
$fwcmd add pass tcp from any to ${oip} http setup
$fwcmd add pass tcp from any to 192.168.2.2 telnet setup
Though I assumed firewall type 'open' in my example rc.conf lines
above, and I notice you have default to allow in your kernel, so=20
its probably the case that you do NOT have a restrictive firewall,=20
and thus do not require the abovementioned firewall rules.
> Am I right in the way that I read the divert line?
>=20
By default (in 3.4, at least) the divert line in rc.firewall will
divert all incoming packets to natd before anything else:
############
# These rules are required for using natd. All packets are passed to
# natd before they encounter your remaining rules. The firewall rules
# will then be run again on each packet after translation by natd,
# minus any divert rules (see natd(8)).
if [ "X${natd_enable}" =3D X"YES" -a "X${natd_interface}" !=3D X"" ]; then
$fwcmd add divert natd all from any to any via
${natd_interface}
fi
Good luck!
-Brent
--y0ulUmNC+osPPQO6
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
MessageID: mzH7/i/Yfc364DIc0oRuV3W8AUyoCxaq
iQA/AwUBONXk9/5LgQMksPsjEQKjfgCg7HgOTaLpquSdg93mlREnxGPSrz8Amwfm
7y0idQ8+uARBxtNggBKu2DcC
=0vD5
-----END PGP SIGNATURE-----
--y0ulUmNC+osPPQO6--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000320004440.A60597>