IPFilter and IPnat
John Murphy
jfm at blueyonder.co.uk
Thu Mar 4 16:19:46 PST 2004
Me <d3javu1978 at yahoo.com> wrote:
>Hello every one,
>I'm trying to use ipnat to redirect in comming http
>connections to my server running apache.
>
>I can connect to it internally http://192.168.1.1
>this is my setup.
>
>xl0 = NIC connected to ISP
>vr0 = 192.168.1.2 (my gateway)
>
>my ipnat.conf file looks like this:
>
>map xl0 0/32 -> 192.168.1.0/24
>rdr xl0 0/32 port 80 -> 192.168.1.1 port 80
>
>I have added the following rule at the biggining of my
>ipf.conf incomming connections group on xl0:
>
>pass in quick on xl0 proto tcp from any to 192.168.1.1
>port = 80 flags S keep state
I'm no expert (you should ask the questions at freebsd.org list)
but I think you'll find the ipnat rules are actioned after the
ipf rules so the filter should not see anything trying to connect
to an RFC1918 address. It should certainly block anything trying
to connect to such IPs. So try it (preferably) with:
pass in quick on xl0 proto tcp from any to [your external IP] port = 80
Or:
pass in quick on xl0 proto tcp from any to any port = 80
(I don't think you need the keep state for incoming.)
--
HTH, John.
More information about the freebsd-newbies
mailing list