Date: Mon, 20 Mar 2000 00:44:40 -0800 From: Brent Kearney <brent@kearneys.ca> To: Gavin Cameron <gavin@itworks.com.au> Cc: FreeBSD Questions <freebsd-questions@FreeBSD.org> Subject: Re: IPFW question Message-ID: <20000320004440.A60597@kearneys.ca> In-Reply-To: <Pine.BSF.4.21.0003192056280.11948-100000@maybe.itworks.com.au>; from gavin@itworks.com.au on Sun, Mar 19, 2000 at 09:03:40PM %2B1100 References: <Pine.BSF.4.21.0003192056280.11948-100000@maybe.itworks.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
--y0ulUmNC+osPPQO6 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable On Sun, Mar 19, 2000 at 09:03:40PM +1100, Gavin Cameron wrote: > Hi all, >=20 > I have the following turned in my kernel on under 4.0-RELEASE >=20 > options IPFIREWALL #firewall > options IPFIREWALL_VERBOSE #print information about > # dropped packets > options IPFIREWALL_FORWARD #enable transparent proxy support > options IPFIREWALL_VERBOSE_LIMIT=3D100 #limit verbosity > options IPFIREWALL_DEFAULT_TO_ACCEPT #allow everything by > default > options IPDIVERT #divert sockets > options IPSTEALTH #support for stealth forwarding >=20 > And if I do the following >=20 > ipfw add 100 divert 23 log tcp from mach1 to mach2 80 >=20 > Then I think that if I telnet from mach1 to mach2 on port 80 then I expect > to see a telnet session start up. >=20 In your /etc/rc.conf, put: natd_interface=3D"ed0" # Assuming ed0 is your outside interface natd_enable=3D"YES" natd_flags=3D"-n ed0 -log_denied -f /etc/natd.conf" firewall_enable=3D"YES" firewall_type=3D"open" # See rc.firewall for the meaning of 'open' firewall_quiet=3D"YES" In your /etc/natd.conf, put: redirect_port tcp mach2:telnet mach1:http redirect_port udp mach2:telnet mach1:http In the above, you can substitute `23' for the word `telnet', and `80' for the word `http' if you like. But the words work fine as long as you have a normal /etc/services. If you are running natd, and a restrictive firewall, then you will also need ipfw adjustments: # Allow connections to port 80 for telnet access to mach2=20 # (here assuming mach2 is 192.168.2.2) $fwcmd add pass tcp from any to ${oip} http setup $fwcmd add pass tcp from any to 192.168.2.2 telnet setup Though I assumed firewall type 'open' in my example rc.conf lines above, and I notice you have default to allow in your kernel, so=20 its probably the case that you do NOT have a restrictive firewall,=20 and thus do not require the abovementioned firewall rules. > Am I right in the way that I read the divert line? >=20 By default (in 3.4, at least) the divert line in rc.firewall will divert all incoming packets to natd before anything else: ############ # These rules are required for using natd. All packets are passed to # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, # minus any divert rules (see natd(8)). if [ "X${natd_enable}" =3D X"YES" -a "X${natd_interface}" !=3D X"" ]; then $fwcmd add divert natd all from any to any via ${natd_interface} fi Good luck! -Brent --y0ulUmNC+osPPQO6 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use MessageID: mzH7/i/Yfc364DIc0oRuV3W8AUyoCxaq iQA/AwUBONXk9/5LgQMksPsjEQKjfgCg7HgOTaLpquSdg93mlREnxGPSrz8Amwfm 7y0idQ8+uARBxtNggBKu2DcC =0vD5 -----END PGP SIGNATURE----- --y0ulUmNC+osPPQO6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000320004440.A60597>