ipfilter & nat redirect

Erik Norgaard norgaard at locolomo.org
Wed Mar 22 10:19:45 UTC 2006 

fbsd_user wrote:
> I have a web server on my private lan that I want
> to be accessible from the public internet.
> 
> dc0 is the interface facing the public internet
> 
> I added this rdr rule after the map rules at the end of my nat file.

ordering is extremely important, nat rules are first match while filter 
rules are last match unless you add the quick keyword. So, if you have 
eg a binat rule, then the rdr never takes place.

>   rdr dc0 0/0 port 80 -> 10.0.10.4 port 8080
> 
> also tried this rule
> 
>   rdr dc0 0.0.0.0/0 port 80 -> 10.0.10.4 port 8080

seems ok, but you may want to replace the 0/0 with your external ip/32 
if it is fixed.

> My understanding of the documentation says the above rdr rule means,
> 
> check all packets inbound on interface dc0, and
> no matter what the sending ip address of the packet may be,
> if the port number of the destination ip address of that packet
> matches port 80,
> then re-write the packet's destination ip address and port to
> 10.0.10.4 port 8080 and create the internal nat table to
> handle the translation of the outbound packets coming from
> 10.0.10.4.
> Then hand the re-written packet to the firewall to be processed
> against the firewall rules.
> 
> My ipfilter firewall rules would need a pass rule like this
> 
> pass in log quick on dc0 proto tcp from any to 10.0.10.4 port = 8080
> flags S keep state
> 
> to create the by-directional packet session.
> 
> Problem is I cant get this to work.
> I see nothing in the log for the pass rule.
> 
> Anybody have any idea what I am doing wrong
> or if my understanding of the re-direct process is in error.

When using rdr, the rdr rule is applied _before_ the filtering, so 
filter rule  above seems correct to me.

Always, and in particular for debugging, create a rule that catches and 
logs anything you haven't thought of. Your log only catches successful 
passes, after that rule, add a log rule like:

   block in log quick on dc0

this should show you the packets that actually are filtered.

Cheers, Erik
-- 
Ph: +34.666334818                                  web: www.locolomo.org
S/MIME Certificate: www.daemonsecurity.com/ca/8D03551FFCE04F06.crt
Subject ID:  9E:AA:18:E6:94:7A:91:44:0A:E4:DD:87:73:7F:4E:82:E7:08:9C:72
Fingerprint: 5B:D5:1E:3E:47:E7:EC:1C:4C:C8:3A:19:CC:AE:14:F5:DF:18:0F:B9

More information about the freebsd-questions mailing list