Forwarding another host

[David DeSimone]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rodrique Heron <swygue at gmail.com> wrote:
>
> I'm running FreeBSD 6.2 and I want to know if forwarding to a external
> host is supported by PF.  I want to forward all incoming traffic to
> port 22 to another host, but it does not work, forwarding to a Jail
> works though.  Here are my configs:

This is a classic NAT problem.  Picture what happens each step of the
way:

Your firewall = A.B.C.D

External Host = E.F.G.H

External Client = W.X.Y.Z

    Packet (src = W.X.Y.Z dst = A.B.C.D) goes to the firewall.

    Firewall applies NAT, so packet is now (src = W.X.Y.Z, dst =
	E.F.G.H).  Firewall routes the packet back out to the external
	network that it came from.

    External host receives packet (src = W.X.Y.Z, dst = E.F.G.H).

    External host sends back a reply packet (src = E.F.G.H, dst =
	W.X.Y.Z).  This reply goes straight back over the internet; it
	does not ever come back to your firewall, but goes directly back
	to the client.  Firewall does not see reply, so there is no
	chance to apply reverse NAT.

    Client receives packet (src = E.F.G.H, dst = W.X.Y.Z).  The packet
	is unrecognized, however, because the packet that the client
	originally sent was for (src = W.X.Y.Z dst = A.B.C.D).  Client
	sends a RST.  Connection fails.

The way I have solved this problem in other environments is with "double
NAT" where the firewall translates both the Source and Destination IP
for internally-receive traffic.  The firewall applies the correct
destination NAT, but also applies NAT to the source IP, giving its own
IP.  This causes the external server to reply back to the firewall so
that the traffic can be de-NAT'd correctly.

However, I am unaware of the ability to perform Double NAT using FreeBSD
tools.  There is no reason the kernel could not do it; it is just a
missing feature in the toolset.

Offhand I am not sure why you would want to forward traffic from your
host over to some external host.  If you really must do this, the only
way that comes to mind would be using a proxy of some sort, opening a
secondary connection to the external host on behalf of the client.

- -- 
David DeSimone == Network Admin == fox at verio.net
"This email message is intended for the use of the person to whom
 it has been sent, and may contain information that is confidential
 or legally protected.  If you are not the intended recipient or have
 received this message in error, you are not authorized to copy, dis-
 tribute, or otherwise use this message or its attachments.  Please
 notify the sender immediately by return e-mail and permanently delete
 this message and any attachments.  Verio, Inc. makes no warranty that
 this email is error or virus free.  Thank you."  --Lawyer Bot 6000
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFHhWLIFSrKRjX5eCoRAu2dAJ48q+buSKrw7W3tlS1OMrgbHa/rlQCfaRtt
9FQyd2Mn9fwdQMD3f7LfRI8=
=oxGv
-----END PGP SIGNATURE-----