From owner-freebsd-questions Fri Sep 21 22:15: 4 2001 Delivered-To: freebsd-questions@freebsd.org Received: from gull.mail.pas.earthlink.net (gull.mail.pas.earthlink.net [207.217.121.85]) by hub.freebsd.org (Postfix) with ESMTP id BFF1137B412 for ; Fri, 21 Sep 2001 22:14:57 -0700 (PDT) Received: from blossom.cjclark.org (dialup-209.245.129.105.Dial1.SanJose1.Level3.net [209.245.129.105]) by gull.mail.pas.earthlink.net (EL-8_9_3_3/8.9.3) with ESMTP id WAA02979; Fri, 21 Sep 2001 22:14:55 -0700 (PDT) Received: (from cjc@localhost) by blossom.cjclark.org (8.11.4/8.11.3) id f8M4srn03586; Fri, 21 Sep 2001 21:54:53 -0700 (PDT) (envelope-from cjc) Date: Fri, 21 Sep 2001 21:54:53 -0700 From: "Crist J. Clark" To: SNF Cc: Freebsd-Questions Subject: Re: IPFW/NATD - forward all port 25, 110, 143 connections to an internal 10 series server Message-ID: <20010921215453.H980@blossom.cjclark.org> Reply-To: cjclark@alum.mit.edu References: <20010921160051.E980@blossom.cjclark.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from snf_lists@yahoo.com on Fri, Sep 21, 2001 at 09:18:30PM -0500 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Sep 21, 2001 at 09:18:30PM -0500, SNF wrote: > > > > set up in a rule.) Or, is this something that would be more > > appropriately > > > done using a different type of rule? I will eventually want to > > do the same > > > thing with a web server or two... > > > > The 'fwd' rules do not work how you expect. ipfw(8) does not change > > the contents of the packet. You want to do natd(8) 'redirect_port' > > within natd(8). > > -- > > Crist J. Clark cjclark@alum.mit.edu > > > I guess I am still not clear on how I am to implement this. I have a > firewall set up on the server, but at the same time I am allowing divert(8) > to divert all connections from inside the network through the single outside > interface using the following instruction in my ipfw commands: > > ${fwcmd} add divert natd all from any to any via ${natd_interface} Right, this is how you get packets to natd(8) for NAT processing. > I then have a script for natd (called natd.conf which is called in rc.conf > through the following line: > > natd_flags="-f /etc/natd.conf" # Additional flags for natd) > > That script contains the following: > > # natd.conf > use_sockets yes > same_ports yes > > and that is it. If I understand you correctly, everything is already set up > correctly and I simply need to add more to the natd.conf file - like: > > redirect_port tcp 10.10.20.40:pop3 pop3 > redirect_port tcp 10.10.20.40:imap imap > redirect_port tcp 10.10.20.40:smtp smtp Looks pretty good. If 10.10.20.40 is providing all services, you could do a single, redirect_address 10.10.20.40 0.0.0.0 > Would this then handle the response that 10.10.20.40 gives to the client? > Or, does natd "know" to send the response to the client making the request? That's what natd(8) does. > And, if I am understanding correctly, this would only affect incoming > connections to 24.159.225.186 pop3/smtp/imap? For the configuration you gave, if 24.159.225.186 is the address on ${natd_interface}, yes. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message