From owner-freebsd-hackers Wed Feb 17 20:36:15 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from horse.supranet.net (horse.supranet.net [205.164.160.8]) by hub.freebsd.org (Postfix) with ESMTP id 845CF11323 for ; Wed, 17 Feb 1999 20:36:12 -0800 (PST) (envelope-from gavinb@supranet.net) Received: from zeus (ppp00-66.supranet.net [205.164.160.66]) by horse.supranet.net (8.9.1/8.9.1) with SMTP id WAA14433 for ; Wed, 17 Feb 1999 22:36:11 -0600 (CST) Message-Id: <4.1.19990217222002.03d38bc0@mail.supranet.net> X-Sender: gavinb@mail.supranet.net X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 Date: Wed, 17 Feb 1999 22:38:59 -0600 To: freebsd-hackers@freebsd.org From: Benjamin Gavin Subject: Problems with ipfw/nat Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi all, I have posted a similar question to -stable, but got a non-existent response. I'll post it here, as it relates closer to this list (I believe). The problem I have been having is with a 3.0-STABLE (~2/8/99 CVSup). I have the machine running IPFW with NAT enabled. The outgoing NAT is working fine, and traffic to the internal LAN (from the outside) is being blocked nicely. However, I know face the following problem. I need to open a port (80) to the outside world on an internal machine. I have done the same thing with port 110 (POP3), and all went just great. I have included what I believe to be the relevant configuration files below: (I am doing this from home, so the syntax may be slightly off, but I think not.) _rc.conf.site_: gateway_enable="YES" firewall_enable="YES" firewall_type="/etc/rc.firewall.local" # Contains my local firewall rules firewall_quiet="NO" natd_enable="YES" natd_interface="fxp0" # My external ethernet card natd_flags="-f /etc/rc.natd" ifconfig_fxp0="inet xxx.xxx.xxx.66 netmask 255.255.255.192" ifconfig_fxp0_alias0="inet xxx.xxx.xxx.67 netmask 255.255.255.255" ifconfig_fxp1="inet 192.168.44.1 netmask 255.255.255.0" _rc.firewall.local_: ... # Other rules # added to trace all ip traffic to and from 192.168.44.17 through me allow log ip from any to 192.168.44.17 via fxp1 allow log ip from 192.168.44.17 to any via fxp1 # needed or packets get blocked in the middle allow log tcp from any to 192.168.44.17 80 via fxp0 ... # Other rules _rc.natd_: use_sockets yes same_ports yes dynamic yes # Redirect requests for port 80 on xxx.xxx.xxx.67 to 192.168.44.17:80 redirect_port 192.168.44.17:80 xxx.xxx.xxx.67:80 Here is the problem. Watching the logs (/var/log/messages) I see the port getting redirected and what looks like the packet leaving the interface to go to 192.168.44.17. However, I don't ever see that packet hit the web server. Is there something I am doing wrong? From the firewall I can get to the internal web server by using 192.168.44.17, but I can't get to it from outside. I don't see any response from the web server coming back into the firewall on either type of request (from the firewall itself, or from outside.) Any ideas?? Please, I am at a loss, this worked perfectly for POP3, but not for http? Or is it possibly something gone awry in the -STABLE version I am running? I was running an earlier version of -STABLE on the box with POP3 working. TIA, and sorry for the rather long message. Ben Gavin --------------------------------- Benjamin Gavin http://www.virtual-olympus.com/ *** Down with SPAM! *** To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message