From owner-freebsd-questions@FreeBSD.ORG Mon Jan 19 13:21:44 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74AC216A4CE for ; Mon, 19 Jan 2004 13:21:44 -0800 (PST) Received: from priv-edtnes57.telusplanet.net (defout.telus.net [199.185.220.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B75043D58 for ; Mon, 19 Jan 2004 13:21:35 -0800 (PST) (envelope-from james@icionline.ca) Received: from [192.168.19.4] (really [142.179.173.206]) by priv-edtnes57.telusplanet.netESMTP <20040119212135.OBHH13868.priv-edtnes57.telusplanet.net@[192.168.19.4]>; Mon, 19 Jan 2004 14:21:35 -0700 From: James Earl To: Rishi Chopra In-Reply-To: <400C44D8.6010408@cal.berkeley.edu> References: <400C44D8.6010408@cal.berkeley.edu> Content-Type: text/plain Message-Id: <1074547363.889.16.camel@work> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Mon, 19 Jan 2004 14:22:43 -0700 Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: Port Forwarding X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2004 21:21:44 -0000 On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: > What I want to do: (1) Change firewall type from 'OPEN' to 'SIMPLE' and > (2) Forward ports 412 and 5800 to my Win2k box. > > What I have: The setup is pictured below. > IPFIREWALL_DEFAULT_TO_ACCEPT, IPDIVERT and IPFILTER are all enabled in > my kernel config file, are also enabled. Rule-of-thumb advice about > "how best to secure a network" is not necessary in this case (the Win2k > box has its own firewall installed (ZoneAlarm) and I already know too > much about security). > > ISP FreeBSD Gateway Win2k Box > > >----------rl0--------------rl1-------------------< > ALL DHCP 192.168.0.1 192.168.0.2 > > The problem: When I chenge the firewall type to SIMPLE from OPEN, the > Win2k box can no longer query DNS and pings to the 192.168.0.1 address > do not work. With the firewall type set to OPEN, there are no problems > whatsoever. I am also new to the IPFW syntax. > > What I would like to know is: (1) the syntax for forwarding incomming > connections from rl0 to rl1 (and ultimately to 192.168.0.2) and (2) > whether the syntax for allowing connections to the outside network (such > as DNS) is correct and if some other problem is preventing the win2k box > from querying DNS when SIMPLE is enabled. The FreeBSD Handbook can describe port redirection using NAT better than I can: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html With the SIMPLE firewall rules, all your machines on your LAN should be able to establish connections. Make sure that you have your ISP's DNS servers IP's specified on the win2k machine, and also that your FreeBSD machines IP is setup as the default gateway in win2k. You shouldn't be able to ping the FreeBSD gateway from the win2k machine because of the FreeBSD gateway's firewall. Anther test... try accessing a machine out on the Internet using it's ip address and see if you get out. James