From owner-freebsd-ipfw@FreeBSD.ORG Wed Nov 28 08:51:54 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E45D316A419 for ; Wed, 28 Nov 2007 08:51:54 +0000 (UTC) (envelope-from swun2010@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.177]) by mx1.freebsd.org (Postfix) with ESMTP id B5AEB13C468 for ; Wed, 28 Nov 2007 08:51:54 +0000 (UTC) (envelope-from swun2010@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so1801519waf for ; Wed, 28 Nov 2007 00:51:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=arx5puI3c8lql1RsjS7OfB2ZEsAWyuo5amYyFn5IXVo=; b=l85+ZGlq3I5GRm804y34HnFS8EAJg60XjBmlNQLb5TxQE14JeLkvtnmkMV/dwcjvaxdV8mEgx03X8LZG+qo0TqM+bTFvM+9kUNvKiRsDtHGBv+6KZ2FrEMY/cQBwWEdSNXXou6NlMp+d8HGbF5HQKohYlA4se/6LwvVCM4erZGI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=PAwR4nf2KEstE045r4mi3thek9r9s6AFTdFxXWlf0d2XXMarCHtunfcEgQr8NluWVIpz2ilA71AzOFNGp1OJ0RHZEm3zDQiW3Bq0xwSIywVIBgWwP5ZgBKfrx9bjvq7+BqgFWMR3ZigzANNOiSeOdUaNIXnOrtkBN6o7uhbdRi8= Received: by 10.114.66.2 with SMTP id o2mr757050waa.1196239914057; Wed, 28 Nov 2007 00:51:54 -0800 (PST) Received: by 10.115.17.14 with HTTP; Wed, 28 Nov 2007 00:51:54 -0800 (PST) Message-ID: <736c47cb0711280051j63596f22tffce5e734d9712e@mail.gmail.com> Date: Wed, 28 Nov 2007 19:51:54 +1100 From: "Sam Wun" To: "Sepherosa Ziehau" In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <736c47cb0711271803o46dd89d8te49d5969fd358d15@mail.gmail.com> <736c47cb0711272018k1e40b1b7v7edfa1d2b5d50891@mail.gmail.com> <736c47cb0711280021g2ad48ec2g7bdc0246f027c3b6@mail.gmail.com> Cc: freebsd-ipfw@freebsd.org Subject: Re: ipfw forwarding doesn't work - for more than 2 months. --- please help X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Nov 2007 08:51:55 -0000 On Nov 28, 2007 7:45 PM, Sepherosa Ziehau wrote: > On Nov 28, 2007 4:21 PM, Sam Wun wrote: > > On Nov 28, 2007 5:12 PM, Sepherosa Ziehau wrote: > > > On Nov 28, 2007 12:18 PM, Sam Wun wrote: > > > > I have read the manpages and freebsd handbook more than 20 tiems. > > > > > > Oh? Then I think you must have read this in ipfw manpage: > > > ... > > > The fwd action does not change the contents of the packet at all. In > > > particular, the destination address remains unmodified, so packets > > > forwarded to another system will usually be rejected by that system > > > unless there is a matching rule on that system to capture them. > > > ... > > > > > OK, I mis-read that. is that mean I need to implement a rule in the > > internal web server? > > IMHO, what you need is a divert rule and natd on 6, or try 7's ipfw > with the in-kernel NAT. > Can you suggest where I can add a new divert rule in my current ipfw rule set? belmore# ipfw list 00001 allow udp from any to any dst-port 500 00001 allow esp from any to any 00001 allow esp from any to any 00001 allow ipencap from any to any 00001 allow ipencap from any to any 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in 00040 allow tcp from any to 220.233.24.213 dst-port 80 in 00041 allow tcp from 192.168.1.222 to any out 00050 divert 8668 ip4 from any to any via tun0 00100 allow ip from any to any via lo0 00150 allow ip from any to any via rl1 00200 deny ip from any to 127.0.0.0/8 00250 allow ip from any to any via lo0 00300 deny ip from 127.0.0.0/8 to any 00350 allow ip from any to any via gif* keep-state 00450 allow udp from any to any dst-port 53 in keep-state 00550 allow tcp from any to any dst-port 22 in keep-state 00650 allow udp from any to any dst-port 1080-60000 in setup keep-state 00750 allow tcp from any to any dst-port 1080-60000 in keep-state 00850 allow tcp from any to 220.233.24.213 dst-port 80 in via tun0 setup keep-state 00950 allow tcp from 220.233.24.213 to any out via tun0 setup keep-state 01050 allow tcp from any to any out keep-state 65000 allow ip from any to any 65535 allow ip from any to any Here is the current rc.conf: natd_program="/sbin/natd" natd_enable="yes" natd_interface="tun0" # interface name of public Internet NIC natd_flags="-dynamic -m" # -m = preserve port numbers if possible #natd_flags="-f /etc/natd.conf" and the content of natd.conf: belmore# cat natd.conf dynamic yes redirect_port tcp 192.168.1.222:80 80 Thanks S > Best Regards, > sephe > > > > I t hink I just need to install rinet in this freebsd router for the > > port forwarding. > > > > Thanks > > > > > > > Best Regards, > > > sephe > > > > > > > > > > > > > > > > > > > > > > On Nov 28, 2007 2:40 PM, Sepherosa Ziehau wrote: > > > > > On Nov 28, 2007 10:03 AM, Sam Wun wrote: > > > > > > Hi, > > > > > > > > > > > > I setup the following ipfw rules in freebsd 6.2: > > > > > > belmore# ipfw list > > > > > > 00001 allow udp from any to any dst-port 500 > > > > > > 00001 allow esp from any to any > > > > > > 00001 allow esp from any to any > > > > > > 00001 allow ipencap from any to any > > > > > > 00001 allow ipencap from any to any > > > > > > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in > > > > > > > > > > I don't think this does the rdr you intended. Please take a look at > > > > > ipfw manpage. > > > > > > > > > > Best Regards, > > > > > sephe > > > > > > > > > > > I don't know what is wrong that the freebsd server (6.2) can't > > > > > > redirect/forward http request to an internal server (web server - > > > > > > 192.168.1.222). > > > > > > > > > > > > Can anyone please give suggestion to modify this rules? > > > > > > Or can you please post your workable ipfw rules that achieved the same goal? > > > > > > > > > > > > Thanks > > > > > > S > > > > > > _______________________________________________ > > > > > > freebsd-ipfw@freebsd.org mailing list > > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > Live Free or Die > > > > > _______________________________________________ > > > > > freebsd-ipfw@freebsd.org mailing list > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe@freebsd.org" > > > > > > > > > > > > > > > > > > > > > -- > > > Live Free or Die > > > > > > > > > -- > Live Free or Die >