From owner-freebsd-hackers Thu Jul 16 07:52:23 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA20618 for freebsd-hackers-outgoing; Thu, 16 Jul 1998 07:52:23 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA20609 for ; Thu, 16 Jul 1998 07:52:21 -0700 (PDT) (envelope-from rivers@dignus.com) Received: from elvis.vnet.net (elvis.vnet.net [166.82.1.5]) by freefall.freebsd.org (8.8.8/8.8.5) with ESMTP id HAA00902 for ; Thu, 16 Jul 1998 07:51:23 -0700 (PDT) Received: from dignus.com (ponds.vnet.net [166.82.177.48]) by elvis.vnet.net (8.8.8/8.8.4) with ESMTP id KAA13190 for ; Thu, 16 Jul 1998 10:52:02 -0400 (EDT) Received: from lakes.dignus.com (lakes [10.0.0.3]) by dignus.com (8.8.8/8.8.5) with ESMTP id LAA00274; Thu, 16 Jul 1998 11:23:25 -0400 (EDT) Received: (from rivers@localhost) by lakes.dignus.com (8.8.8/8.6.9) id KAA01628; Thu, 16 Jul 1998 10:56:09 -0400 (EDT) Date: Thu, 16 Jul 1998 10:56:09 -0400 (EDT) From: Thomas David Rivers Message-Id: <199807161456.KAA01628@lakes.dignus.com> To: rivers@dignus.com Subject: Tantalizingly close (was: ipfw rules for exposing an internal machine's port externally?) Cc: freebsd-hackers@freefall.cdrom.com In-Reply-To: <35AE0711.D86870C9@jezebel.demon.co.uk> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Thanks to all the wonderful suggestions I've gotten from fellow hackers - I'm tantalizingly close to being able to expose an internal machine to the external network. But, things are quite working yet [By the way, in case I haven't mentioned - this is with 2.2.6.] Here's what I currently have: [10.0.0.1]$ ipfw list 00100 divert 32000 ip from any to any via sl0 00200 allow tcp from any to 166.82.177.48 7490 00201 allow tcp from any to 10.0.0.10 7490 01000 allow ip from any to any via lo0 01010 deny ip from 127.0.0.0/8 to 127.0.0.0/8 65000 allow ip from any to any 65535 deny ip from any to any [10.0.0.1]$ ifconfig sl0 (external interface) sl0: flags=9011 mtu 552 inet 166.82.177.48 --> 166.82.100.202 netmask 0xffffff00 [10.0.0.1]$ ifconfig ed0 (internal interface) ed0: flags=8843 mtu 1500 inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 ether 66:66:77:00:0b:31 And, natd was run with: /usr/sbin/natd -l -port 32000 -interface sl0 -m -u -dynamic \ -redirect_port tcp 10.0.0.10:7490 7490 When I try to connect to 166.82.177.48 with: telnet 166.82.177.48 7490 (from the 'external world') I no longer get the immediate 'connection refused' [which implies things are getting somewhat routed...] But - I also don't get connected. It eventually times out. [Internal connections from the gateway machine to 10.0.0.10 7490 work just fine.] To me, this implies some route isn't right yet... i.e. the internal machine can't get back to the external network... I have the feeling I'm just missing one little item... which I hope is obvious to the more ipfw/natd-experienced people on the list :-) - Thanks - - Dave Rivers - To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message