Re: FreeBSD 4.9 ipfw natd -- Port Forwarding

[Ng Pheng Siong <ngps () netmemetic com>]

On Mon, Jun 28, 2004 at 06:05:41PM -0700, Adam Humphrey wrote:
> I tried the ipfw fwd command as well with no success.  It was forwarding the
> packets perfectly but they were still addressed to the outside IP address of
> my freeBSD server and my internal web server was dropping them because they
> were not addressed to its IP.

Ah, yes, natd's manpage says:

     It changes all packets destined for another host so that their source IP
     address is that of the current machine.

This looks like where your first case is tripping up.

And ipfw's manpage says, for 'fwd':

     In particular, the destination address remains unmodified, so packets
     forwarded to another system will usually be rejected by that system
     unless there is a matching rule on that system to capture them.

Which is where my suggestion is tripping up in your case.

Ok, so you want to NAT the external destination address, but keep the 
external source addresses visible to your internal destination addresses.

You might want to try ipnat/ipfilter, then. Something like this:

  map <external-iface> 192.168.x.x/32 -> x.x.x.x/32
  rdr <external-iface> x.x.x.x/32 port 80 -> 192.168.x.x port 80 tcp

First line NATs external address x.x.x.x to internal address 192.168.x.x.
Second line forwards packets hitting x.x.x.x:80 to the internal address.

It is possible to mix and match ipfw and ipfilter, because they hook into
different spots in the packet processing code. You can keep the rest of
your ipfw rules if you don't want to attempt to change them to ipfilter.

Cheers.

-- 
Ng Pheng Siong <ngps () netmemetic com> 

http://firewall.rulemaker.net -+- Version Control for Cisco PIX & Netscreen 
http://sandbox.rulemaker.net/ngps -+- M2Crypto, ZServerSSL/Zope, Blog
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards