Question that has dogged me for a while.
Freddie Cash
fjwcash at gmail.com
Mon May 8 17:18:33 UTC 2017
On Fri, May 5, 2017 at 8:34 PM, Karl Denninger <karl at denninger.net> wrote:
> Can you point me to the ruleset you posted? Thanks in advance.
>
I can't remember all your network details, and don't have the e-mails
saved, so fill in the blanks below. :) And change the ports as needed.
IIF=<internal interface>
EIF=<external interface>
PUB_IP="me"
SRV_IP=<server private IP>
PRV_NET=<client private subnet>
# NAT incoming traffic for port 8080 to server's private IP
ipfw nat 100 config same_ports ip $PUB_IP redirect_port tcp $PRV_IP:80
$PUB_IP:8080
# NAT outgoing traffic from private subnet to public IP
ipfw nat 200 config same_ports ip $PUB_IP
# Allow port 8080 traffic to server from private subnet (in)
ipfw add nat 100 tcp from $PRV_NET to $PUB_IP 8080 in recv $IIF
ipfw add nat 200 tcp from $PRV_NET to $SRV_IP 80 out xmit $IIF
ipfw add nat 200 tcp from $SRV_IP 80 to $PUB_IP in recv $IIF
ipfw add nat 100 tcp from $PUB_IP 8080 to $PRV_NET out xmit $IIF
# Allow port 8080 traffic from Internet to server (in)
ipfw add nat 200 tcp from any to $PUB_IP 8080 in recv $EIF
ipfw add allow tcp from any to $SRV_IP 80 out xmit $IIF
ipfw add allow tcp from $SRV_IP 80 to any in recv $IIF
ipfw add nat 200 tcp from $SRV_IP 80 to any out xmit $EIF
# Allow clients access to Internet (out)
ipfw add allow tcp from $PRV_NET to any in recv $IIF
ipfw add nat 100 tcp from $PUB_IP to any out recv $EIF
ipfw add nat 100 tcp from any to $PUB_IP in recv $EIF
ipfw add allow tcp from any to $PRV_NET out xmit $IIF
# Block the rest
ipfw add deny log ip from any to any in recv $EIF
ipfw add deny log ip from any to any in recv $IIF
--
Freddie Cash
fjwcash at gmail.com
More information about the freebsd-ipfw
mailing list