Date: Mon, 11 Aug 2003 01:40:18 -0400 From: "liquid" <liquid@homebass.ca> To: <darryl@osborne-ind.com>, "'Mike Maltese'" <mike@pcmedx.com> Cc: freebsd-questions@freebsd.org Subject: RE: ipfilter - port forward question Message-ID: <001101c35fcb$0c1246b0$6400a8c0@windows> In-Reply-To: <004901c35ddc$209379b0$0701a8c0@darryl>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message----- > From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd- > questions@freebsd.org] On Behalf Of Darryl Hoar > Sent: August 8, 2003 2:38 PM > To: 'Mike Maltese' > Cc: freebsd-questions@freebsd.org > Subject: RE: ipfilter - port forward question >=20 > Well, > it does in fact use udp. Here is what I have done. >=20 > Added to /etc/ipfilter.rules >=20 > pass in quick on ep0 proto tcp from any to any port =3D 31240 keep = state you *did* infact mean to say "pass in quick on ep0 proto udp from (etc) >=20 > Added to /etc/ipnat.rules >=20 > rdr ep0 0/0 port 31240 -> 192.168.1.35 port 31240 udp This appears to be OK. > =20 >=20 > first question. > I can reload the ipfilter rules with the > ipf -Fa -f /etc/ipfilter.rules you certainly can >=20 > how do I reload the ipnat rules ? >=20 > I tried ipnat -F then > ipnat -f /etc/ipnat.rules. Try ipnat -Cf -f /etc/ipnat.rules >=20 > But when I did a ipnat -l it showed that it > just added the new rdr (so I had two listed). >=20 > I rebooted. >=20 > External users still couldn't connect. So, I create a new > ipfilter.rules file with: > pass in quick on ep0 all keep state > pass out quick on ep0 all keep state. >=20 > reloaded the filewall rules. Users tried to connect but couldn't. > I looked at the nat table I saw: >=20 > map 192.168.1.35 1256 <- -> 24.225.33.88 1256 [24.225.17.163 5101] > rdr 192.168.1.35 31240 <- -> 24.225.33.88 31240 [24.225.17.163 1131] > <snip out duplicate entries with 1131 changing to different values> >=20 >=20 > I feel I'm close. What am I missing/screwing up ? >=20 > thanks, > Darryl > Freebsd 4.7S OK, you must be close. I'm not entirely sure why that wouldn't be working using the firewall rules you mentioned after rebooting. I've never forwarded anything other than tcp though for basic stuff like www, smtp etc... so I'm unsure if ipnat is picky about udp traffic. I know that on my ipnat.rules I have this line, unclear though if this would make a difference: map dc0 192.168.0.0/24 -> xx.xx.xx.xx/32 portmap tcp/udp 30000:50000 I strongly suggest you look at this site... I like to think I'm quite good with ipf/ipnat, and it's solely because of the knowledge of it I got out of the whitepaper located there. www.obfuscation.org/ipf HTH, Sandro
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001101c35fcb$0c1246b0$6400a8c0>