Question that has dogged me for a while.

Mon May 8 17:18:33 UTC 2017

On Fri, May 5, 2017 at 8:34 PM, Karl Denninger <karl at denninger.net> wrote:

> Can you point me to the ruleset you posted?  Thanks in advance.
>
I can't remember all your network details, and don't have the e-mails
saved, so fill in the blanks below.  :)  And change the ports as needed.

IIF=<internal interface>
EIF=<external interface>

PUB_IP="me"
SRV_IP=<server private IP>
PRV_NET=<client private subnet>

# NAT incoming traffic for port 8080 to server's private IP
ipfw nat 100 config same_ports ip $PUB_IP redirect_port tcp $PRV_IP:80
$PUB_IP:8080

# NAT outgoing traffic from private subnet to public IP
ipfw nat 200 config same_ports ip $PUB_IP

# Allow port 8080 traffic to server from private subnet (in)
ipfw add nat 100 tcp from $PRV_NET to $PUB_IP 8080 in  recv $IIF
ipfw add nat 200 tcp from $PRV_NET to $SRV_IP 80   out xmit $IIF

ipfw add nat 200 tcp from $SRV_IP 80   to $PUB_IP  in  recv $IIF
ipfw add nat 100 tcp from $PUB_IP 8080 to $PRV_NET out xmit $IIF

# Allow port 8080 traffic from Internet to server (in)
ipfw add nat 200 tcp from any        to $PUB_IP 8080 in  recv $EIF
ipfw add allow   tcp from any        to $SRV_IP 80   out xmit $IIF

ipfw add allow   tcp from $SRV_IP 80 to any          in  recv $IIF
ipfw add nat 200 tcp from $SRV_IP 80 to any          out xmit $EIF

# Allow clients access to Internet (out)
ipfw add allow   tcp from $PRV_NET to any      in  recv $IIF
ipfw add nat 100 tcp from $PUB_IP  to any      out recv $EIF

ipfw add nat 100 tcp from any      to $PUB_IP  in  recv $EIF
ipfw add allow   tcp from any      to $PRV_NET out xmit $IIF

# Block the rest
ipfw add deny log ip from any to any in recv $EIF
ipfw add deny log ip from any to any in recv $IIF

-- 
Freddie Cash
fjwcash at gmail.com