Date: Wed, 7 Mar 2001 22:49:54 -0800 From: "Crist J. Clark" <cjclark@reflexnet.net> To: Blair Sutton/Odey <B.Sutton@odey.co.uk> Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: masquerade firewall as external host only on one port Message-ID: <20010307224954.L1367@cjc-desktop.users.reflexcom.com> In-Reply-To: <OF1C20433A.CD0FEA04-ON80256A08.003E48C7@odey.co.uk>; from B.Sutton@odey.co.uk on Wed, Mar 07, 2001 at 11:53:33AM %2B0000 References: <OF1C20433A.CD0FEA04-ON80256A08.003E48C7@odey.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Mar 07, 2001 at 11:53:33AM +0000, Blair Sutton/Odey wrote: > hi, > > i am trying to set up a firewall router. it has some services running on > it, squid, dns and ssh. > what i would like is to get the firewall to trap all traffic originating > from the internal net > 192.168.0.0/24 and travelling to external internet machines on a port say > 6666 and pass > this on to natd. so natd can then translate the source address to the > external IP of the > firewall, say dc0/X.X.X.X. the internal address is say fxp0/Y.Y.Y.Y > (within 192.168.0.0/24) OK. So the internal machines can only reach the outside on HTTP through a squid proxy except for one service going to port 6666 which will be NAT'ed. Rather limited access, but hey, it's your net. Instead of these, > divert natd tcp from any to any 6666 > divert natd tcp from any 6666 to any I think your NAT rules should be, divert natd tcp from 192.168.0.0/24 to any 6666 out via dc0 divert natd tcp from any 6666 to X.X.X.X in via dc0 As for some of these others... If you are only doing NAT on 6666, it does not make sense to let other traffic out. You should be using 'via <interface>' a lot more in your rules. -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010307224954.L1367>