From owner-freebsd-hackers Thu Jul 16 05:23:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id FAA01926 for freebsd-hackers-outgoing; Thu, 16 Jul 1998 05:23:46 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA01901 for ; Thu, 16 Jul 1998 05:23:19 -0700 (PDT) (envelope-from ru@ucb.crimea.ua) Received: from relay.ucb.crimea.ua (relay.ucb.crimea.ua [194.93.177.113]) by freefall.freebsd.org (8.8.8/8.8.5) with ESMTP id FAA25320 for ; Thu, 16 Jul 1998 05:22:12 -0700 (PDT) Received: (from ru@localhost) by relay.ucb.crimea.ua (8.8.8/8.8.8) id PAA22794; Thu, 16 Jul 1998 15:22:45 +0300 (EEST) (envelope-from ru) Message-ID: <19980716152244.A22669@ucb.crimea.ua> Date: Thu, 16 Jul 1998 15:22:44 +0300 From: Ruslan Ermilov To: Thomas David Rivers , freebsd-hackers@freefall.cdrom.com Subject: Re: ipfw rules for exposing an internal machine's port externally? Mail-Followup-To: Thomas David Rivers , freebsd-hackers@freefall.cdrom.com References: <199807161205.IAA01215@lakes.dignus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.91i In-Reply-To: <199807161205.IAA01215@lakes.dignus.com>; from Thomas David Rivers on Thu, Jul 16, 1998 at 08:05:13AM -0400 X-Operating-System: FreeBSD 2.2.6-STABLE i386 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Jul 16, 1998 at 08:05:13AM -0400, Thomas David Rivers wrote: > > I thought I should be able to do this; but it doesn't > seem to work well. Perhaps someone knows what I've got wrong here. > > What I have is a machine "X" which is on the external network > and through which I divert all internal traffic on the 10.0.0.x > network via ipfw/natd, as in: > > ipfw add 100 divert 32000 ip from any to any via sl0 > > > However, I have an internal machine (10.0.0.10) that's set up > to do telnet connections on a different port (e.g. port #PPPP in > the following example.) > > I would like to make those connections available externally. > > So - I've got added: > > ipfw add 50 pass log tcp from any PPPP to 10.0.0.10 PPPP > ipfw add 50 pass log udp from any PPPP to 10.0.0.10 PPPP > > But, if I telnet to the gateway machine at port PPPP as in: > telnet gateway PPPP > all I get is: > Trying x.x.x.x... > telnet: Unable to connect to remote host: Connection refused > > > If I, however, telnet on the internal network to 10.0.0.10 PPPP > I get connected just fine. > > > > Has anyone done this before? That is, map a particular port number > on one machine to a different one? And, use that with divert to > make a service on an internal machine externally visible? If so, how? > You're missing redirect natd rule, it seems to me. Add the following line in natd config file on "X": redirect_port tcp 10.0.0.10:PPPP PPPP This will tell natd to redirect X:PPPP connection to 10.0.0.10:PPPP. HTH and regards, -- Ruslan Ermilov Sysadmin and DBA of the ru@ucb.crimea.ua United Commercial Bank +380.652.247.647 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message