From owner-freebsd-ipfw Fri May 26 16:49:11 2000 Delivered-To: freebsd-ipfw@freebsd.org Received: from fw.matchcraft.com (fw.matchcraft.com [207.155.101.2]) by hub.freebsd.org (Postfix) with ESMTP id A7AFE37B850 for ; Fri, 26 May 2000 16:49:08 -0700 (PDT) (envelope-from tony@matchcraft.com) Received: from mail.matchcraft.com (ns.matchcraft.com [172.16.0.159]) by fw.matchcraft.com (Postfix) with ESMTP id A618D561C9 for ; Fri, 26 May 2000 16:47:37 -0700 (PDT) Received: from matchcraft.com (sleestack [172.16.0.231]) by mail.matchcraft.com (Postfix) with ESMTP id 82F8C2EFA5 for ; Fri, 26 May 2000 16:48:42 -0700 (PDT) Message-ID: <392F0D73.E15077E1@matchcraft.com> Date: Fri, 26 May 2000 16:49:07 -0700 From: Tony Hayes X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org Subject: IP/Port Forwarding Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hey, I got one I've been trying to figure out for the last two weeks... Here's the situations: I have a FreeBSD box running both ipfw and natd. I need to be able to forward any ssh packets coming in to the external interface to an interal address at the same port. ie. I want to be able to ssh from anywhere on the outside and be forwarded to an internal box. Here's the rule list I'm using: ipfw add divert natd all from any to any via fxp1 ipfw add allow ip from any to any via lo0 ipfw add deny ip from any to 127.0.0.1 ipfw add allow ip from any to any ipfw add allow tcp from any to any ipfw add allow udp from any to any -Default rule is deny ip from any to any. natd -p 8668 -n fxp1 -redirect_port tcp 172.16.0.250:22 209.157.63.5:22 This appears to half work. natd only shows incoming traffic destined for the internal address. I ran natd in verbose mode to make sure the aliasing was correct (which it was). I ran a tcpdump on the internal box, and saw the packets coming and going on port 22. The problem is, the aliasing seems only to be working in one direction(incoming). None of the outgoing packets go through the fw. In the verbose output of natd, it shows "IN" for the incoming packets and "OUT" for the outgoing. I could see the incoming ssh packets and could verify they are aliased for the correct destination. The problem was that there were no outgoing packets for ssh. There were other outgoing packets, but none for ssh. This seems very odd to me because I could see ssh packets coming in on the internal box, yet none of the packets are aliased back to the origional source. Any help would be greatly appreciated. Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message