From owner-freebsd-net Tue Sep 19 21:37:28 2000 Delivered-To: freebsd-net@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id DE4DD37B422 for ; Tue, 19 Sep 2000 21:37:24 -0700 (PDT) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Tue, 19 Sep 2000 21:35:33 -0700 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e8K4aSr17598; Tue, 19 Sep 2000 21:36:28 -0700 (PDT) (envelope-from cjc) Date: Tue, 19 Sep 2000 21:36:27 -0700 From: "Crist J . Clark" To: Konan Houphoue Cc: ari@suutari.iki.fi, marcs@draenor.org, archie@whistle.com, freebsd-net@freebsd.org Subject: Re: Port 80 redirect: Good news!! Message-ID: <20000919213627.N367@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: ; from bahobab@hotmail.com on Tue, Sep 19, 2000 at 01:35:56PM -0500 Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Sep 19, 2000 at 01:35:56PM -0500, Konan Houphoue wrote: > Crist, > > This is my "creation" out of desperation. THese rules are not being used. > > ----------- > #My rules > #${fwcmd} add pass tcp from ${oip} to ${inet}:${imask} 80 in via ${iip} > setup > #${fwcmd} add pass tcp from ${oif} to any in via ${iif} setup > ----------- > > What do you think about the points made by Ben? I am not on -net either and did not get CC'ed. But I looked up the thread. It looks like he recommended you add the same rule I did. However, his next remarks are in error. Given the same conventions for the outer interface and IP, and the inner interface and IP, this is what NAT does, incoming request: 192.0.2.132:2014 -> ${oip}:80 == NAT ==> 192.0.2.132:2014 -> 192.168.1.40:80 outgoing reply: 192.168.1.40:80 -> 192.0.2.132:2014 == NAT ==> ${oip}:80 -> 192.0.2.132:2014 That is the external address that is the source of the query is not translated. Only your end of the transaction is translated. > It should be a standard and (somehow) easy rules to do what I'm planning to > to. I don't think I am the first person to do this, am I? *grin* It _is_ easy, adding that one rule _should_ fix things. People ask questions like this all of the time. The problem is that it is not possible to write a set of generic rules that are (a) as secure (i.e. as strict) as possible yet (b) allow through any traffic anyone might want to be passing for their setup. The logical course is to make the rules as reasonably strict as they can be and then have each individual poke the extra holes they need.. In your case, not only are you poking a hole for port 80, but you are doing NAT, _and_ a redirect. That makes it a little more fun, but not too tough. > How do I join the FreeBSD-net discussion thread? I believe it is like joining any other list. However, you might actually be best served by, freebsd-ipfw@freebsd.org -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message