From owner-freebsd-questions  Tue Nov  3 16:12:14 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA11085
          for freebsd-questions-outgoing; Tue, 3 Nov 1998 16:12:14 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from orcas.foghead.com (orcas.foghead.com [205.238.52.43])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA11070
          for <freebsd-questions@FreeBSD.ORG>; Tue, 3 Nov 1998 16:12:10 -0800 (PST)
          (envelope-from junkins@foghead.com)
Received: from localhost (junkins@localhost)
	by orcas.foghead.com (8.8.8/8.8.8) with SMTP id QAA22778;
	Tue, 3 Nov 1998 16:12:01 -0800 (PST)
Date: Tue, 3 Nov 1998 16:12:00 -0800 (PST)
From: Doug Junkins <junkins@foghead.com>
X-Sender: junkins@orcas
To: James Snow <sno@flesh.net>
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: natd and ipfw fwd
In-Reply-To: <Pine.BSF.4.02A.9811031421220.27268-100000@silver.teardrop.org>
Message-ID: <Pine.SUN.3.96.981103160508.22487E-100000@orcas>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

I've successfully used the following on a firewall/natd box doing what you
are attempting:

	% more /etc/natd.conf
	interface ed1
	redirect_port tcp 192.168.1.200:80 <external.fw.ip.addr>:80

	% more rc.firewall
	# Simple Firewall for use with natd
	#
	# First flush the firewall
	/sbin/ipfw -f flush
	#
	# Now divert stuff to natd for address translation
	#
	/sbin/ipfw add divert natd all from any to any via ed1
	#
	# Allow web traffic to inside web server
	#
	/sbin/ipfw add permit tcp from any to 192.168.1.200 80
	/sbin/ipfw add permit tcp from 192.168.1.200 80 to any
	/sbin/ipfw add permit tcp from <external.fw.ip.addr> 80 to any
	#

The trick that observing the ipfw failures in the syslog led me to was
that both the internal and the external address had to be allowed for
outbound packets.

-Doug

On Tue, 3 Nov 1998, James Snow wrote:

> 
> I seem to be having some trouble implementing the following:
> 
> I have a machine that performs NAT. My LAN is 10.0.0.x, and on the
> Internet side it's some.real.ip.addr.
> 
> The NAT machine is 10.0.0.10 internally. There is another Unix box at
> 10.0.0.2, which runs a web server.
> 
> What I would like to be able to do is transparently map port 80 on the
> machine with the real IP address to the machine at 10.0.0.2.
> 
> The impression that I've gotten from what I've read in the man pages for
> natd and ipfw is that this can be done. But all my attempts at doing it
> have failed. Everything appears to be in place, and then nothing happens. 
> 
> Rather than post how I've done this and try to troubleshoot it, could
> someone else detail for me how they have done this or might do this? I'm
> convinced that I've made some trivial error somewhere and I think if I
> stared at another implementation long enough, I might figure it out.
> 
> 
> Thanks,
> Bewildered,
> James Snow
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
> 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message