Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 12 Apr 2002 17:42:39 -0400
From:      "Asenchi" <asenchi@asenchi.com>
To:        <security@FreeBSD.ORG>
Subject:   RE: IPFW+nat.problem+advice?
Message-ID:  <BNEFIOCCBGNFNCEKAMLMAEDPCLAA.asenchi@asenchi.com>
In-Reply-To: <200204121955.WAA23236@sun1.hot.ee>
next in thread | previous in thread | raw e-mail | index | archive | help 
Ok I have no idea what natstart is so i might be completely wrong.  but in
your natd.conf file you should only have to specify:

redirect_port tcp 192.168.1.111:6666 123.45.67.89:6666

and so on...you can also read natd manpage for more info on redirect_port.

hope this sheds a little more light...

also, i am curious as to why you have some of the rules you do, namely:

00211        0           0 allow tcp from 000.000.000.000 to any 22 in
00212        0           0 allow tcp from any 22 to 000.000.000.000 out
not sure why you have 000.000.000.000? (this is just out of curiousity, i am
not saying you are wrong)

00501    62407     5744884 deny ip from any to 10.0.0.0/8 via wi0
00502       30        1440 deny ip from any to 172.16.0.0/12 via wi0
00601        0           0 deny ip from any to 0.0.0.0/8 via wi0
00602      293       35384 deny ip from any to 169.254.0.0/16 via wi0
00603        0           0 deny ip from any to 192.0.2.0/24 via wi0
00604   491059    28724175 deny ip from any to 224.0.0.0/4 via wi0
00605   798321   116391193 deny ip from any to 240.0.0.0/4 via wi0
again with the 0.0.0.0 ip, and also shouldn't deny rules go more towards the
end of your rule set? (again curiousity)

02001  5336012   409089310 divert 8668 ip from 192.168.1.0/24 to any via
123.45.67.89
02002  8615895  9126246102 divert 8668 ip from any to 123.45.67.89 via
123.45.67.89
02011  2245061   232307377 divert 8888 ip from 10.10.10.0/24 to any via wi0
02012 16073819  7952662742 divert 8888 ip from any to 234.56.78.90 via wi0
you might be able to just go: add XXXX divert ip 8668 ip from any to any via
vr0 (is there a benefit to listing each ip connection?)

65535        3         180 allow ip from any to any
shouldn't this be 'deny'

natd_program="/etc/natstart"
i don't know what this is...could you explain what it is.

basically i look at these lists to learn more. hope you don't mind me asking
questions on top of yours. don't know if i was any help at all.

ASENCHI


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BNEFIOCCBGNFNCEKAMLMAEDPCLAA.asenchi>