ipfw forwarding doesn't work - for more than 2 months. ---
please help
Sam Wun
swun2010 at gmail.com
Wed Nov 28 00:51:55 PST 2007
On Nov 28, 2007 7:45 PM, Sepherosa Ziehau <sepherosa at gmail.com> wrote:
> On Nov 28, 2007 4:21 PM, Sam Wun <swun2010 at gmail.com> wrote:
> > On Nov 28, 2007 5:12 PM, Sepherosa Ziehau <sepherosa at gmail.com> wrote:
> > > On Nov 28, 2007 12:18 PM, Sam Wun <swun2010 at gmail.com> wrote:
> > > > I have read the manpages and freebsd handbook more than 20 tiems.
> > >
> > > Oh? Then I think you must have read this in ipfw manpage:
> > > ...
> > > The fwd action does not change the contents of the packet at all. In
> > > particular, the destination address remains unmodified, so packets
> > > forwarded to another system will usually be rejected by that system
> > > unless there is a matching rule on that system to capture them.
> > > ...
> > >
> > OK, I mis-read that. is that mean I need to implement a rule in the
> > internal web server?
>
> IMHO, what you need is a divert rule and natd on 6, or try 7's ipfw
> with the in-kernel NAT.
>
Can you suggest where I can add a new divert rule in my current ipfw rule set?
belmore# ipfw list
00001 allow udp from any to any dst-port 500
00001 allow esp from any to any
00001 allow esp from any to any
00001 allow ipencap from any to any
00001 allow ipencap from any to any
00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in
00040 allow tcp from any to 220.233.24.213 dst-port 80 in
00041 allow tcp from 192.168.1.222 to any out
00050 divert 8668 ip4 from any to any via tun0
00100 allow ip from any to any via lo0
00150 allow ip from any to any via rl1
00200 deny ip from any to 127.0.0.0/8
00250 allow ip from any to any via lo0
00300 deny ip from 127.0.0.0/8 to any
00350 allow ip from any to any via gif* keep-state
00450 allow udp from any to any dst-port 53 in keep-state
00550 allow tcp from any to any dst-port 22 in keep-state
00650 allow udp from any to any dst-port 1080-60000 in setup keep-state
00750 allow tcp from any to any dst-port 1080-60000 in keep-state
00850 allow tcp from any to 220.233.24.213 dst-port 80 in via tun0
setup keep-state
00950 allow tcp from 220.233.24.213 to any out via tun0 setup keep-state
01050 allow tcp from any to any out keep-state
65000 allow ip from any to any
65535 allow ip from any to any
Here is the current rc.conf:
natd_program="/sbin/natd"
natd_enable="yes"
natd_interface="tun0" # interface name of public Internet NIC
natd_flags="-dynamic -m" # -m = preserve port numbers if possible
#natd_flags="-f /etc/natd.conf"
and the content of natd.conf:
belmore# cat natd.conf
dynamic yes
redirect_port tcp 192.168.1.222:80 80
Thanks
S
> Best Regards,
> sephe
>
>
> > I t hink I just need to install rinet in this freebsd router for the
> > port forwarding.
> >
> > Thanks
> >
> >
> > > Best Regards,
> > > sephe
> > >
> > >
> > > >
> > > >
> > > >
> > > > On Nov 28, 2007 2:40 PM, Sepherosa Ziehau <sepherosa at gmail.com> wrote:
> > > > > On Nov 28, 2007 10:03 AM, Sam Wun <swun2010 at gmail.com> wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I setup the following ipfw rules in freebsd 6.2:
> > > > > > belmore# ipfw list
> > > > > > 00001 allow udp from any to any dst-port 500
> > > > > > 00001 allow esp from any to any
> > > > > > 00001 allow esp from any to any
> > > > > > 00001 allow ipencap from any to any
> > > > > > 00001 allow ipencap from any to any
> > > > > > 00020 fwd 192.168.1.222 ip from any to 220.233.24.213 dst-port 80 in
> > > > >
> > > > > I don't think this does the rdr you intended. Please take a look at
> > > > > ipfw manpage.
> > > > >
> > > > > Best Regards,
> > > > > sephe
> > > > >
> > > > > > I don't know what is wrong that the freebsd server (6.2) can't
> > > > > > redirect/forward http request to an internal server (web server -
> > > > > > 192.168.1.222).
> > > > > >
> > > > > > Can anyone please give suggestion to modify this rules?
> > > > > > Or can you please post your workable ipfw rules that achieved the same goal?
> > > > > >
> > > > > > Thanks
> > > > > > S
> > > > > > _______________________________________________
> > > > > > freebsd-ipfw at freebsd.org mailing list
> > > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Live Free or Die
> > > > > _______________________________________________
> > > > > freebsd-ipfw at freebsd.org mailing list
> > > > > http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
> > > > > To unsubscribe, send any mail to "freebsd-ipfw-unsubscribe at freebsd.org"
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Live Free or Die
> > >
> >
>
>
>
> --
> Live Free or Die
>
More information about the freebsd-ipfw
mailing list