Date: Tue, 11 May 2004 23:00:20 -0500 (CDT) From: William Michael Grim <wgrim@siue.edu> To: Tim Aslat <tim@spyderweb.com.au> Cc: freebsd security list <freebsd-security@freebsd.org> Subject: Re: quick FW question Message-ID: <Pine.SO4.4.05.10405112252040.27442-100000@cougar.isg.siue.edu> In-Reply-To: <20040512115607.23ac80ea@bofh.spyderweb.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello! If you would like to properly forward traffic to your mail server THROUGH the firewall, you need to have your firewall do it through NAT. By doing it through NAT (natd), it will change the IP headers for you so the traffice travels correctly. It took me a while to figure this out when trying to forward ssh and httpd to an internal machine. Setup your rc.conf like this: natd_enable="YES" natd_flags="-f /etc/natd.conf" In my natd.conf, I have a setup like this (you will need to change the redirect lines though): # Useful for trying not to break RFCs. use_sockets same_ports # My public interface interface dc0 # Use this since the public interface is set by DHCP. dynamic unregistered_only log_ipfw_denied redirect_port tcp 192.168.0.101:23 23 redirect_port tcp 192.168.0.101:8080 8080 #redirect_port tcp 192.168.0.101:389 389 #redirect_port tcp 192.168.0.101:636 636 William Michael Grim Student, Southern Illinois University at Edwardsville Unix Network Administrator, SIUE, Computer Science dept. Phone: (217) 341-6552 Email: wgrim@siue.edu On Wed, 12 May 2004, Tim Aslat wrote: > I hope this isn't too off topic, but I'd like a quick solution to a > problem. > > I have a small network behind a NAT firewall (FreeBSD of course) and I'd > like to block/redirect all traffic from the internal network to the > local mail server (same box as firewall) in order to prevent direct smtp > requests to the outside world (mainly virus/trokan programs). > > I think I have it right in this rule, but I would prefer to get a > second, or even a third opinion. > > ipfw add fwd 127.0.0.1,25 tcp from any to me dst-port 25 > > Cheers > > Tim > > -- > Tim Aslat <tim@spyderweb.com.au> > Spyderweb Consulting > http://www.spyderweb.com.au > Phone: +61 0401088479 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SO4.4.05.10405112252040.27442-100000>