From owner-freebsd-questions Sun Jan 28 7: 5:17 2001 Delivered-To: freebsd-questions@freebsd.org Received: from atlrel1.hp.com (atlrel1.hp.com [156.153.255.210]) by hub.freebsd.org (Postfix) with ESMTP id C115937B400 for ; Sun, 28 Jan 2001 07:04:57 -0800 (PST) Received: from omgw1.boi.hp.com (omgw1.boi.hp.com [15.56.8.101]) by atlrel1.hp.com (Postfix) with ESMTP id DDEE4726; Sun, 28 Jan 2001 10:04:56 -0500 (EST) Received: from xpabh1.boi.hp.com (xpabh1.boi.hp.com [15.56.8.33]) by omgw1.boi.hp.com (8.9.3 (PHNE_18979)/8.9.3 SMKit6.0.6 OpenMail) with ESMTP id IAA02466; Sun, 28 Jan 2001 08:04:55 -0700 (MST) Received: by xpabh1.boi.hp.com with Internet Mail Service (5.5.2653.19) id ; Sun, 28 Jan 2001 07:04:55 -0800 Message-ID: From: "DINKEY,GENE (HP-Loveland,ex1)" To: "'Marius M. Rex'" , questions@freeBSD.org Subject: RE: IPfwd Date: Sun, 28 Jan 2001 07:04:20 -0800 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > -----Original Message----- > From: Marius M. Rex [mailto:marius@mail.communityconnect.com] > Sent: Saturday, January 27, 2001 10:55 PM > To: questions@freeBSD.org > Subject: IPfwd > > > > I have a little home network on which I run ipfw and nat. My > significant > other wants to participate in napster, so I wrote a firewall > rule so she > could do so. She can now sit at her computer, connect, and download > songs. I have a dynamic ip address, so I wrote it thusly. > > $fwcmd add 1500 pass tcp from any to any 6699 in via ${oif} > > But of course, no one can connect to her computer and download songs > from her. She has a ip address that is translated by NAT > into the one ip > address that I have, on the FreeBSD box. An unsolicited outside > connection is not supposed to be able to set up a connection. > But she wants to be able to give back. So I thought I would > just forward > that port. She is the only one who uses Napster, it seemed fairly > reasonable. So I recheached with Napster, and confirmed that > it should > answer requests for downloads from 6699. > > $fwcmd add 1501 fwd 10.0.0.3 tcp from any to any 6699 > > This looks to me like it should forward all traffic from port > 6699 to her > machine, 10.0.0.3. But still no-one can download music from > her. Am I > forwarding it wrong? The systax is valid, I know that. Here are my > current stats: > > > FreeBSD milux.ny.home 3.5-STABLE FreeBSD 3.5-STABLE #8: Sat Jan 27 > 14:58:50 EST 2001 > marius@milux.ny.home:/usr/src/sys/compile/MILUX > i386 > > packet fowarding is compiled in the kernel. From my dmesg: > > IP packet filtering initialized, divert enabled, rule-based > forwarding > enabled, default to accept, logging limited to 100 packets/entry by > default > > Any clues to what I am doing wrong? (I know, gotta cvsup > soon, I read the > security advisement about ipfw.) A better way to set that up is through natd - in your config file add redirect_port tcp x.x.x.x:6699 6699 redirect_port udp x.x.x.x:6699 6699 # (and I'm not sure if Napster requires udp) This will tell natd to pass packets back to any particular machine. I'm not sure if natd will allow you to specify a subnet so all systems can participate on Napster using the same data port. If not you can always set up the same thing for another system but use a different data port. Thats how I took care of it. Gene To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message