From owner-freebsd-ipfw@FreeBSD.ORG  Mon May  5 06:59:16 2003
Return-Path: <owner-freebsd-ipfw@FreeBSD.ORG>
Delivered-To: freebsd-ipfw@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5636637B401
	for <freebsd-ipfw@freebsd.org>; Mon,  5 May 2003 06:59:16 -0700 (PDT)
Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18])
	by mx1.FreeBSD.org (Postfix) with SMTP id B112743F85
	for <freebsd-ipfw@freebsd.org>; Mon,  5 May 2003 06:59:13 -0700 (PDT)
	(envelope-from kudzu@tenebras.com)
Received: (qmail 83183 invoked from network); 5 May 2003 13:59:12 -0000
Received: from queequeg.tenebras.com (HELO tenebras.com) (192.168.188.241)
  by 0 with SMTP; 5 May 2003 13:59:12 -0000
Message-ID: <3EB66E30.6050708@tenebras.com>
Date: Mon, 05 May 2003 06:59:12 -0700
From: Michael Sierchio <kudzu@tenebras.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.3) Gecko/20030312
X-Accept-Language: en-us, en, zh-cn, zh-tw
MIME-Version: 1.0
To: John Meyer <jmeyer@netroach.com>
References: <000901c3130d$97dab020$0401a8c0@netroach.com>
In-Reply-To: <000901c3130d$97dab020$0401a8c0@netroach.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-ipfw@freebsd.org
Subject: Re: FreeBSD 4.2 ipfw natd -- Port Forwarding?
X-BeenThere: freebsd-ipfw@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: IPFW Technical Discussions <freebsd-ipfw.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ipfw>
List-Post: <mailto:freebsd-ipfw@freebsd.org>
List-Help: <mailto:freebsd-ipfw-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw>,
	<mailto:freebsd-ipfw-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 05 May 2003 13:59:16 -0000

John Meyer wrote:

> I have Bsd 4.8 with nat and ipfw compiled.
> My ipfw script contains one comment near the end
> add 10000 allow tcp from any to 192.168.0.249 setup
> 
> and my natd.conf has a statement
> redirect_address 192.168.0.249 196.xx.xxx.xxx
> 
> The problem is I cannot seem to get what is blocking the connection.

You are. ;-)

Until you're considerably more familiar with ipfirewall and natd, don't
use stateful rules with NAT.  NAT is already stateful.  Packets on the
outbound side won't match your stateful rule, because they aren't from
192.x.y.z but from 196.a.b.c


> if I do ipfw show while I browse to the ip with explorer nothing seems to get to it.
> (Looks like rule 00600 add divert natd ip from any to any via fxp0 blocks it)

So, set natd to deny_incoming if you're concerned about blocking packets
that aren't part of any connected tcp stream.