From owner-freebsd-questions Fri Sep 21 16: 3: 4 2001 Delivered-To: freebsd-questions@freebsd.org Received: from pintail.mail.pas.earthlink.net (pintail.mail.pas.earthlink.net [207.217.120.122]) by hub.freebsd.org (Postfix) with ESMTP id AE12A37B40A for ; Fri, 21 Sep 2001 16:03:01 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.245.132.192.Dial1.SanJose1.Level3.net [209.245.132.192]) by pintail.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id QAA19466; Fri, 21 Sep 2001 16:02:31 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f8LN0qH02973; Fri, 21 Sep 2001 16:00:52 -0700 (PDT) (envelope-from cjc) Date: Fri, 21 Sep 2001 16:00:51 -0700 From: "Crist J. Clark" To: SNF Cc: Freebsd-Questions Subject: Re: IPFW/NATD - forward all port 25, 110, 143 connections to an internal 10 series server Message-ID: <20010921160051.E980@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from snf_lists@yahoo.com on Fri, Sep 21, 2001 at 04:34:00PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Sep 21, 2001 at 04:34:00PM -0500, SNF wrote: > Hi, > > I currently have a FreeBSD 4.3 machine that is running ipfw and natd. Two > physically separate interfaces are installed on the machine providing an > interior 10. series network with access to the external world (internet). > My provider only provides us with one IP and 5 more would double my monthly > costs. So, I need to use that one IP for dns, email and web serving... I > have a qmail server set up with a private address on the inside and would > like to forward all port 25, 110 and 143 connections coming to the outside > interface (24.159.225.186) to that server (10.10.20.40). The crux that I > see is that I still need to allow normal client access (from that 10.20.20 > network) to email servers outside of my network. So, if someone from the > inside wants to go to pop.mail.yahoo.com or smtp.mail.yahoo.com, I would > like that connection to be forwarded to the server (as it has been and has > been working since I set up the gateway/firewall/natd box). On the other > hand, when someone tries to access port 25, 110 or 143 specifically on > 24.159.225.186, I would like to have that forwarded to 10.10.20.40. I have > to recompile my kernel to add the IPFIREWALL_FORWARD option and I'm simply > not sure how to set up the rule correctly. Would something along the lines > of > > (for pop) > ${fwcmd} add forward tcp from 24.159.225.186 25 to 10.10.20.40 25 via > 10.10.20.1 > > or is there going to be much more needed? (All connections from the inside > are allowed to outgoing machines, so I didn't think I would need the > opposite of this rule allowing the return connection from 10.10.20.40 to be > set up in a rule.) Or, is this something that would be more appropriately > done using a different type of rule? I will eventually want to do the same > thing with a web server or two... The 'fwd' rules do not work how you expect. ipfw(8) does not change the contents of the packet. You want to do natd(8) 'redirect_port' within natd(8). -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message