ipfilter & nat redirect
John Murphy
sub02 at freeode.co.uk
Wed Mar 22 01:07:13 UTC 2006
"fbsd_user" <fbsd_user at a1poweruser.com> wrote:
>I have a web server on my private lan that I want
>to be accessible from the public internet.
>
>dc0 is the interface facing the public internet
>
>I added this rdr rule after the map rules at the end of my nat file.
>
> rdr dc0 0/0 port 80 -> 10.0.10.4 port 8080
>
>also tried this rule
>
> rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.4 port 8080
I have 'tcpudp' after the port in my rdr rules, but see below.
>My understanding of the documentation says the above rdr rule means,
>
>check all packets inbound on interface dc0, and
>no matter what the sending ip address of the packet may be,
>if the port number of the destination ip address of that packet
>matches port 80,
>then re-write the packet's destination ip address and port to
>10.0.10.4 port 8080 and create the internal nat table to
>handle the translation of the outbound packets coming from
>10.0.10.4.
>Then hand the re-written packet to the firewall to be processed
>against the firewall rules.
>
>My ipfilter firewall rules would need a pass rule like this
>
>pass in log quick on dc0 proto tcp from any to 10.0.10.4 port = 8080
>flags S keep state
I think the filter action occurs before NAT so you would need this:
pass in log quick on dc0 proto tcp from any to <your live IP> port = 80
--
John.
More information about the freebsd-questions
mailing list