ipfilter - port forward question

liquid liquid at homebass.ca
Sun Aug 10 22:40:08 PDT 2003 

> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org [mailto:owner-freebsd-
> questions at freebsd.org] On Behalf Of Darryl Hoar
> Sent: August 8, 2003 2:38 PM
> To: 'Mike Maltese'
> Cc: freebsd-questions at freebsd.org
> Subject: RE: ipfilter - port forward question
> 
> Well,
> it does in fact use udp.  Here is what I have done.
> 
> Added to /etc/ipfilter.rules
> 
> pass in quick on ep0 proto tcp from any to any port = 31240 keep state

you *did* infact mean to say "pass in quick on ep0 proto udp from (etc)

> 
> Added to /etc/ipnat.rules
> 
> rdr ep0 0/0 port 31240 -> 192.168.1.35 port 31240 udp

This appears to be OK.

>
 
> 
> first question.
> I can reload the ipfilter rules with the
>   ipf -Fa -f /etc/ipfilter.rules

you certainly can

> 
> how do I reload the ipnat rules ?
> 
> I tried ipnat -F then
> ipnat -f /etc/ipnat.rules.

Try ipnat -Cf -f /etc/ipnat.rules

> 
> But when I did a ipnat -l  it showed that it
> just added the new rdr (so I had two listed).
> 
> I rebooted.
> 
> External users still couldn't connect.  So, I create a new
> ipfilter.rules file with:
>   pass in quick on ep0 all keep state
>   pass out quick on ep0 all keep state.
> 
> reloaded the filewall rules.  Users tried to connect but couldn't.
> I looked at the nat table I saw:
> 
> map 192.168.1.35 1256 <- -> 24.225.33.88 1256 [24.225.17.163 5101]
> rdr 192.168.1.35 31240 <- -> 24.225.33.88 31240 [24.225.17.163 1131]
> <snip out duplicate entries with 1131 changing to different values>
> 
> 
> I feel I'm close.  What am I missing/screwing up ?
> 
> thanks,
> Darryl
> Freebsd 4.7S

OK, you must be close.  I'm not entirely sure why that wouldn't be
working using the firewall rules you mentioned after rebooting.  I've
never forwarded anything other than tcp though for basic stuff like www,
smtp etc... so I'm unsure if ipnat is picky about udp traffic.  I know
that on my ipnat.rules I have this line, unclear though if this would
make a difference:

map dc0 192.168.0.0/24  -> xx.xx.xx.xx/32  portmap tcp/udp 30000:50000

I strongly suggest you look at this site... I like to think I'm quite
good with ipf/ipnat, and it's solely because of the knowledge of it I
got out of the whitepaper located there.

www.obfuscation.org/ipf

HTH,
Sandro

More information about the freebsd-questions mailing list