From owner-freebsd-ipfw@FreeBSD.ORG Fri Jul 28 20:35:19 2006 Return-Path: X-Original-To: ipfw@freebsd.org Delivered-To: freebsd-ipfw@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1DF4216A4DE for ; Fri, 28 Jul 2006 20:35:19 +0000 (UTC) (envelope-from vladone@spaingsm.com) Received: from mail.spaingsm.com (llwb135.servidoresdns.net [217.76.137.82]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78A7243D45 for ; Fri, 28 Jul 2006 20:35:18 +0000 (GMT) (envelope-from vladone@spaingsm.com) Received: from localhost (unknown [88.158.112.6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.spaingsm.com (Postfix) with ESMTP id 82D4B24C70C for ; Fri, 28 Jul 2006 21:57:49 +0200 (CEST) Date: Fri, 28 Jul 2006 23:35:14 +0300 From: vladone X-Mailer: The Bat! (v3.80.03) Professional X-Priority: 3 (Normal) Message-ID: <44756092.20060728233514@spaingsm.com> To: ipfw@freebsd.org In-Reply-To: <28745bbf0607280412tdff38dck9df78fd0fc363fff@mail.gmail.com> References: <28745bbf0607270947i6d71369fg5c1403b2d6e36219@mail.gmail.com> <28745bbf0607280412tdff38dck9df78fd0fc363fff@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re: ipfw and natd routing problems X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: vladone List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 20:35:19 -0000 Hello Adam, Friday, July 28, 2006, 2:12:32 PM, you wrote: > Hi, > I've recently installed FreeBSD on a Soekris Net 4801 to act as my > LAN's router. I have got natd and ipfw working fine (there was > originally some trouble with getting an IP from NTL via dhcp because I > hadn't allowed the cable modem's ip to talk to the router, or NTL's > dhcp servers to also talk to the router). My only problem now is that > although connections going out through natd work fine, natd port > forwarding does not work correctly. I am not sure whether this is a > problem with natd or just my ipfw rule(s), though I am more inclined > to believe it is ipfw! > ipfw and natd are enabled in /etc/rc.conf through the following lines: > #enable firewall > firewall_enable="YES" > #path to rules > firewall_type="/etc/fw/firewall.rules" > #be non-verbose? > firewall_quiet="NO" > #enable natd > natd_enable="YES" > #natd interface > natd_interface="sis0" > #flags for natd > natd_flags="-f /etc/fw/natd.conf" > Below is my ipfw natd rule, and the natd.conf file: > [ipfw] > # check if incoming packets belong to a natted session, allow through if yes > add 01000 divert natd ip from any to any in via sis0 > add 01001 check-state > [natd.conf] > unregistered_only > interface sis0 > use_sockets > dynamic > punch_fw 2000:100 > same_ports > redirect_port tcp 192.168.0.5:80 80 > redirect_port tcp 192.168.0.5:6700-6725 6700-6725 > When trying to access port 80 (the httpd) externally, the connection > just times out, as does any other connection. Any help would be > greatly appreciated! > Adam > _______________________________________________ > freebsd-ipfw@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw > To unsubscribe, send any mail to > "freebsd-ipfw-unsubscribe@freebsd.org" U need to add an natd rules and for outgoing packets, not only for for incoming. So u need an rule like this at the end of rules add 05000 divert natd ip from any to any out via sis0 With two rules for natd (one for incoming and another for outgoing) u can control more exactly traffic flow. Else u can us an single natd rule at begining like this add 1000 divert natd all from any to any via sis0 -- Best regards, vladone mailto:vladone@spaingsm.com