From owner-freebsd-questions@FreeBSD.ORG Tue Aug 3 16:49:44 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDED916A4CE for ; Tue, 3 Aug 2004 16:49:44 +0000 (GMT) Received: from conure.mail.pas.earthlink.net (conure.mail.pas.earthlink.net [207.217.120.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7BBD43D2F for ; Tue, 3 Aug 2004 16:49:44 +0000 (GMT) (envelope-from hakim.singhji@earthlink.net) Received: from waldorf.psp.pas.earthlink.net ([207.217.78.20]) by conure.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 1Bs2Tv-0005Rm-00; Tue, 03 Aug 2004 09:49:43 -0700 Message-ID: <3514282.1091551783104.JavaMail.root@waldorf.psp.pas.earthlink.net> Date: Tue, 3 Aug 2004 12:49:42 -0400 (GMT-04:00) From: "Hakim Z. Singhji" To: Chuck Swiger Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Zoo Mail 1.0 cc: questions@freebsd.org Subject: Re: Questions on IPFW??? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Hakim Z. Singhji" List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Aug 2004 16:49:44 -0000 Hello Chuck, I was wondering if someone could help me answer some questions I have concerning IPFW vs. natd I am trying to allow my FreeBSD 4.10 gateway to perform port forwarding for SSH, SQL*Net and Webservice (Web not as important yet). I wanted to know if I can use IPFW as opposed to natd to redirect or pass TCP & UDP (is ICMP out of the question???) to a remote location. Gateway::192.0.0.1:22 --> remote server 192.0.0.5:22 or 192.0.0.5:9881 for instance. From the configuration of ipfw it appears that it can be done instead of using natd. Any suggestions or corrections of my logic welcome. Thanks in advance. HZS -----Original Message----- From: Chuck Swiger Sent: Aug 3, 2004 12:40 PM To: "Hakim Z. Singhji" Cc: questions@freebsd.org Subject: Re: Questions on IPFW??? Hakim Z. Singhji wrote: > Question, when NAT overloading is it possible to use only IPFW rules to > pass TCP/UDP packects to remote ip addresses within the network? I don't know what "NAT overloading" means. It is possible to use only IPFW rules to pass TCP & UDP packets from one interface to another using the fwd action. However, note that: The fwd action does not change the contents of the packet at all. In particular, the destination address remains unmodified, so packets forwarded to another system will usually be rejected by that system unless there is a matching rule on that system to capture them. For packets forwarded locally, the local address of the socket will be set to the original destination address of the packet. This makes the netstat(1) entry look rather weird but is intended for use with transparent proxy servers. > Or do you have to use natd...because IPFW allows you to execute > the following for example: > **************************************************** > ip from 192.168.99.100 80 to 192.168.99.101 9981 > **************************************************** That's the body of an IPFW rule which matches packets with those attributes. Without an action ("allow", "deny", "fwd"), what you've written isn't a complete rule: it doesn't mean anything by itself. > or even in conjunction with a dummynet rule of somesort? Um. Do you understand the question you are asking? I don't-- perhaps try using a complete sentence. Better yet, why don't you tell us what your network looks like and what you want to do. You most likely will receive answers which are more specific and more useful to you... -- -Chuck