Re: Proper Port Forwarding
In freebsd-questions Digest, Vol 418, Issue 10, Message: 7 On Wed, 06 Jun 2012 14:31:24 -0400 Simon si...@optinet.com wrote: Can someone suggest an alternative/proper way to port forward using ipfw. Right now I have the following and some bad clients cause too many FIN_WAIT_2 state fwd IP,PORT2 tcp from any to me dst-port PORT1 keep-state This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW stops forwarding using the rule above because of too many dynamic rules Michael's and Dan's suggestions of adjusting sysctl net.inet.ip.fw.dyn* variables are good; consider also using 'limit' instead of 'keep-state', which works the same except limiting the number of open connections to a specified number. See ipfw(8) /limit and /EXAMPLES for more, but eg: fwd IP,PORT2 tcp from any to me dst-port PORT1 limit src-addr 9 to prevent any one source address opening more than 9 connections, or fwd IP,PORT2 tcp from any to me dst-port PORT1 limit dst-port 42 to limit total open connections by everyone to dst-port PORT1 to 42. cheers, Ian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Proper Port Forwarding
Michael Sierchio wrote: On Wed, Jun 6, 2012 at 11:31 AM, Simon si...@optinet.com wrote: This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW stops forwarding using the rule above because of too many dynamic rules Change the defaults for the fw.dyn sysctl MIB nodes to something like net.inet.ip.fw.dyn_short_lifetime=3 net.inet.ip.fw.dyn_udp_lifetime=3 net.inet.ip.fw.dyn_rst_lifetime=1 net.inet.ip.fw.dyn_fin_lifetime=1 net.inet.ip.fw.dyn_syn_lifetime=10 There is also this you can place in /etc/sysctl.conf: net.inet.tcp.fast_finwait2_recycle=1 I do this for my web servers. It helps reduce the volume somewhat of FIN_WAIT_2 from building up by expiring them sooner. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Proper Port Forwarding
On Thu, Jun 7, 2012 at 10:15 AM, Michael Powell nightre...@hotmail.com wrote: There is also this you can place in /etc/sysctl.conf: net.inet.tcp.fast_finwait2_recycle=1 Good catch. The defaults are perhaps not ideal in all cases: net.inet.tcp.finwait2_timeout: 6 - ms, ten minutes net.inet.tcp.fast_finwait2_recycle: 0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Proper Port Forwarding
On Thu, Jun 7, 2012 at 10:27 AM, Michael Sierchio ku...@tenebras.com wrote: net.inet.tcp.finwait2_timeout: 6 - ms, ten minutes I can't do arithmetic, but you get the idea. A full minute. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Proper Port Forwarding
On Jun 7, 2012, at 10:29 AM, Michael Sierchio wrote: On Thu, Jun 7, 2012 at 10:27 AM, Michael Sierchio ku...@tenebras.com wrote: net.inet.tcp.finwait2_timeout: 6 - ms, ten minutes I can't do arithmetic, but you get the idea. A full minute. Yes; that's already shorter than possible MAXTTL value of packets, which can be anywhere up to 255 seconds (~= 5 minutes). Well, it's usually OK for a webserver to decide that it doesn't need to wait around for clients to properly shutdown their HTTP connections, but one might want to be more careful about zapping sockets early for HTTPS/SSL connections (ie, an online store doing a CC transaction or the like). Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Proper Port Forwarding
Hi, Can someone suggest an alternative/proper way to port forward using ipfw. Right now I have the following and some bad clients cause too many FIN_WAIT_2 state fwd IP,PORT2 tcp from any to me dst-port PORT1 keep-state This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW stops forwarding using the rule above because of too many dynamic rules Thanks, Simon ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Proper Port Forwarding
On Wed, Jun 6, 2012 at 11:31 AM, Simon si...@optinet.com wrote: This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW stops forwarding using the rule above because of too many dynamic rules Change the defaults for the fw.dyn sysctl MIB nodes to something like net.inet.ip.fw.dyn_short_lifetime=3 net.inet.ip.fw.dyn_udp_lifetime=3 net.inet.ip.fw.dyn_rst_lifetime=1 net.inet.ip.fw.dyn_fin_lifetime=1 net.inet.ip.fw.dyn_syn_lifetime=10 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Proper Port Forwarding
In the last episode (Jun 06), Michael Sierchio said: On Wed, Jun 6, 2012 at 11:31 AM, Simon si...@optinet.com wrote: This easily causes DoS for when too many FIN_WAIT_2 are created and IPFW stops forwarding using the rule above because of too many dynamic rules Change the defaults for the fw.dyn sysctl MIB nodes to something like net.inet.ip.fw.dyn_short_lifetime=3 net.inet.ip.fw.dyn_udp_lifetime=3 net.inet.ip.fw.dyn_rst_lifetime=1 net.inet.ip.fw.dyn_fin_lifetime=1 net.inet.ip.fw.dyn_syn_lifetime=10 Or raise net.inet.ip.fw.dyn_max to a larger number. The default 4096 may be too small. -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: nat and ipfw, port forwarding
Hi Richard, On Sun, Dec 28, 2008 at 2:30 AM, Richard Yang kusanagiy...@gmail.comwrote: thank you, usleep (nice name)i somehow made it work by 1. add redirect_port udp 10.0.0.200:5 5 in natd.conf 2. allow all traffic and diversion in ipfw.rules i tried to limit the traffic by modifying the rules in ipfw.rules, but unsuccessfully. so i just leave it be at this moment. i am very confused by the roles of natd and ipfw, and how they should work together. As far as i understand it ( anyone please correct me if i am wrong ) : There are two types of NAT in FreeBSD to choose from: 1. Natd, which is a userspace daemon. You need to include a divert rule in your ipfw-config which looks like this: #ipfw add 100 divert natd all from any to any via $oif ( $oif stands for outside-interface ) After your packet has been diverted to natd, the NATed package is inserted once again into the firewall to be checked again. Port redirection etc is configured in natd.conf. 2. Kernel NAT, which is part of IPFW. This is what i was referring to in my last message. You set it up through rc.conf ( see man page ). There is no need for a divert-rule. Port redirection etc is configured with ipnat ( store your config in /etc/ipnat.conf ). And please, do not top-post. regards, usleep rich On Sat, Dec 27, 2008 at 8:40 AM, usleepl...@gmail.com wrote: Hi Ricard, On Fri, Dec 26, 2008 at 9:27 PM, Richard Yang kusanagiy...@gmail.comwrote: hi, i have a ssh machine behind a freebsd firewall with nat and ipfw. how do i make port forwarding so internet can access the ssh machine? thanx i think you need to configure /etc/ipnat.conf ( read 'man ipnat' ). this is a example definition: rdr em1 0.0.0.0/0 port 2223 - 192.168.1.96 port 22 ( this redirects incoming traffic on outside-interface em1 port 2223 to an internal machine on port 22 ) also, include firewall_nat_enable in your rc.conf ( read 'man rc.conf' ) to configure the settings from ipnat.conf, run ipnat -C -f /etc/ipnat.conf regards, usleep ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: nat and ipfw, port forwarding
Richard Yang kusanagiy...@gmail.com writes: i have a ssh machine behind a freebsd firewall with nat and ipfw. how do i make port forwarding so internet can access the ssh machine? Use 'redirect_port' with natd(8). This is extensively documented in the Handbook: http://www.freebsd.org/doc/en/books/handbook/network-natd.html -- Lowell Gilbert, embedded/networking software engineer, Boston area http://be-well.ilk.org/~lowell/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: nat and ipfw, port forwarding
Hi Ricard, On Fri, Dec 26, 2008 at 9:27 PM, Richard Yang kusanagiy...@gmail.comwrote: hi, i have a ssh machine behind a freebsd firewall with nat and ipfw. how do i make port forwarding so internet can access the ssh machine? thanx i think you need to configure /etc/ipnat.conf ( read 'man ipnat' ). this is a example definition: rdr em1 0.0.0.0/0 port 2223 - 192.168.1.96 port 22 ( this redirects incoming traffic on outside-interface em1 port 2223 to an internal machine on port 22 ) also, include firewall_nat_enable in your rc.conf ( read 'man rc.conf' ) to configure the settings from ipnat.conf, run ipnat -C -f /etc/ipnat.conf regards, usleep -- Best Regards Richard Yang richardy...@richardyang.net kusanagiy...@gmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: nat and ipfw, port forwarding
thank you, usleep (nice name)i somehow made it work by 1. add redirect_port udp 10.0.0.200:5 5 in natd.conf 2. allow all traffic and diversion in ipfw.rules i tried to limit the traffic by modifying the rules in ipfw.rules, but unsuccessfully. so i just leave it be at this moment. i am very confused by the roles of natd and ipfw, and how they should work together. rich On Sat, Dec 27, 2008 at 8:40 AM, usleepl...@gmail.com wrote: Hi Ricard, On Fri, Dec 26, 2008 at 9:27 PM, Richard Yang kusanagiy...@gmail.comwrote: hi, i have a ssh machine behind a freebsd firewall with nat and ipfw. how do i make port forwarding so internet can access the ssh machine? thanx i think you need to configure /etc/ipnat.conf ( read 'man ipnat' ). this is a example definition: rdr em1 0.0.0.0/0 port 2223 - 192.168.1.96 port 22 ( this redirects incoming traffic on outside-interface em1 port 2223 to an internal machine on port 22 ) also, include firewall_nat_enable in your rc.conf ( read 'man rc.conf' ) to configure the settings from ipnat.conf, run ipnat -C -f /etc/ipnat.conf regards, usleep ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
nat and ipfw, port forwarding
hi, i have a ssh machine behind a freebsd firewall with nat and ipfw. how do i make port forwarding so internet can access the ssh machine? thanx -- Best Regards Richard Yang richardy...@richardyang.net kusanagiy...@gmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Port forwarding behind two routers
On Wed, 19 Nov 2008, Jakub T wrote: 2008/11/15 Luke Dean [EMAIL PROTECTED] Port-forwarding through two NATs is something I've never had any success with. I have a few suggestions that have worked for me and my friends with this setup. A) Disable NAT on the ADSL router. I think the term is bridged mode. Turn it into a dumb box and shift all the NAT/firewall/routing responsibilities over to your wireless router. Depending on your ISP, the hardware, and the protocols involved, this may not be an option for you. B) Disable NAT on the wireless router. This allows it to be a simple switch and wireless access point. The price is that you're probably relying on the DHCP server in the wireless router for your wireless devices and you'll have to disable the DHCP when you disable NAT. This creates new problems to be solved. C) Plug the FreeBSD box into the ADSL router, skipping the wireless router. Your wireless devices will still be double-NATted, but if you're not running servers on them, you might be able to live with that. Luke, Thank you very much, your advices were very helpful and I now have a working port forwarding through two routers. Sorry for the delay in the answering, it took me some time to test various options... Actually your (A) advice is what did the job. I turned off DHCP server on ADSL router and enabled NAT - DMZ Host option on it (for which I realized that it was the closest to your description of bridged mode). Then I configured the wireless router to use static IP config instead of expecting DHCP server. The situation is now this: INTERNET | telephone/adsl-wire | | ADSL router wan : xx.xx.xx.xx FreeBSD box (wired) lan : 192.168.1.1 ip: 192.168.0.102 | laptopgateway: 192.168.0.1 | (wireless)| [internet plug]ip: 192.168.0.101 | Wireless router gateway: 192.168.0.1 | wan : 192.168.1.2:| lan : 192.168.0.1 . . . . . :| [ethernet plug] | | | +---+ DMZ host for ADSL router is 192.168.1.2 -- and it works! I have one question more (forgive my ignorance): now the wireless router is configured to use static IP config and I must provide one or more Static DNS servers to it. Is it ok to type just 192.168.1.1 as DNS (which works for now) or to copy DNS servers which are automatically provided to the ADSL router by the ISP? Your solution is a little different from what I was suggesting, but it might be a better solution in some ways. If 192.168.1.1 really works as a source of DNS, I would take that to mean that your ADSL router is passing your name requests along to the nameservers that the ISP provided it. That's good. If your ISP ever moves its nameservers, it will tell your ADSL box about it, and the changes should propogate. If you hardcoded your DNS addresses into your wireless router, you would have to change them by hand if a change was ever required. I believe your wireless router is now responsible for being the firewall for your network, so make sure you've set that up. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Port forwarding behind two routers
2008/11/15 Luke Dean [EMAIL PROTECTED] Port-forwarding through two NATs is something I've never had any success with. I have a few suggestions that have worked for me and my friends with this setup. A) Disable NAT on the ADSL router. I think the term is bridged mode. Turn it into a dumb box and shift all the NAT/firewall/routing responsibilities over to your wireless router. Depending on your ISP, the hardware, and the protocols involved, this may not be an option for you. B) Disable NAT on the wireless router. This allows it to be a simple switch and wireless access point. The price is that you're probably relying on the DHCP server in the wireless router for your wireless devices and you'll have to disable the DHCP when you disable NAT. This creates new problems to be solved. C) Plug the FreeBSD box into the ADSL router, skipping the wireless router. Your wireless devices will still be double-NATted, but if you're not running servers on them, you might be able to live with that. Luke, Thank you very much, your advices were very helpful and I now have a working port forwarding through two routers. Sorry for the delay in the answering, it took me some time to test various options... Actually your (A) advice is what did the job. I turned off DHCP server on ADSL router and enabled NAT - DMZ Host option on it (for which I realized that it was the closest to your description of bridged mode). Then I configured the wireless router to use static IP config instead of expecting DHCP server. The situation is now this: INTERNET | telephone/adsl-wire | | ADSL router wan : xx.xx.xx.xx FreeBSD box (wired) lan : 192.168.1.1 ip: 192.168.0.102 | laptopgateway: 192.168.0.1 | (wireless)| [internet plug]ip: 192.168.0.101 | Wireless router gateway: 192.168.0.1 | wan : 192.168.1.2:| lan : 192.168.0.1 . . . . . :| [ethernet plug] | | | +---+ DMZ host for ADSL router is 192.168.1.2 -- and it works! I have one question more (forgive my ignorance): now the wireless router is configured to use static IP config and I must provide one or more Static DNS servers to it. Is it ok to type just 192.168.1.1 as DNS (which works for now) or to copy DNS servers which are automatically provided to the ADSL router by the ISP? Once again, thank you. Jakub ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Port forwarding behind two routers
Good day people, I'm trying to get wireless Internet access for my laptop and to use this wireless router as a switch for my FreeBSD box at the same time. This wireless router has one Internet plug and for Ethernet plugs for wired boxes. Now I have this situation: INTERNET | telephone/adsl-wire | | ADSL router wan : xx.xx.xx.xx FreeBSD box (wired) lan : 192.168.1.1 ip: 192.168.0.102 | laptopgateway: 192.168.0.1 | (wireless)| [internet plug]ip: 192.168.0.101 | Wireless router gateway: 192.168.0.1 | lan : 192.168.0.1 . . . . . :| [ethernet plug] | | | +---+ The wireless router software configured the router like this: Destination LAN IP Subnet Mask GatewayInterface 0.0.0.0 0.0.0.0 192.168.1.1 WAN (Internet) 192.168.0.0 255.255.255.0 192.168.0.1 LAN Wireless 192.168.1.0 255.255.255.0 192.168.1.2 WAN (Internet) ... so it works as a switch for two boxes and as a router at the same time. The FreeBSD box is configured like this: ifconfig_XXX0=inet 192.168.0.102 netmask 255.255.255.0 defaultrouter=192.168.0.1 Now I have Internet connection on both computers. However, I can't get aMule and other apps that need port forwarding working on FreeBSD box. First, I tried to configure ADSL router (192.168.1.1) just to forward 4662 port to 192.168.0.102, doesn't work. Then, I tried this: 192.168.1.1 router: forward 4662 to 192.168.0.1 192.168.0.1 router: forward 4662 to 192.168.0.102 not working again. I have a feeling that I'm missing something very simple, but can't figure out what. (A note: before I acquired a wireless router, forwarding with one router was just working, with FreeBSD box configured as 192.168.1.101, so that side of things is ok. And, no, it's not possible to use just wireless router because I can't plug telephone wire in it.) Can anyone help me? Should I post more details? TIA, Jakub ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Port forwarding behind two routers
On Sat, 15 Nov 2008, Jakub T wrote: Good day people, I'm trying to get wireless Internet access for my laptop and to use this wireless router as a switch for my FreeBSD box at the same time. This wireless router has one Internet plug and for Ethernet plugs for wired boxes. Now I have this situation: INTERNET | telephone/adsl-wire | | ADSL router wan : xx.xx.xx.xx FreeBSD box (wired) lan : 192.168.1.1 ip: 192.168.0.102 | laptopgateway: 192.168.0.1 | (wireless)| [internet plug]ip: 192.168.0.101 | Wireless router gateway: 192.168.0.1 | lan : 192.168.0.1 . . . . . :| [ethernet plug] | | | +---+ The wireless router software configured the router like this: Destination LAN IP Subnet Mask GatewayInterface 0.0.0.0 0.0.0.0 192.168.1.1 WAN (Internet) 192.168.0.0 255.255.255.0 192.168.0.1 LAN Wireless 192.168.1.0 255.255.255.0 192.168.1.2 WAN (Internet) ... so it works as a switch for two boxes and as a router at the same time. The FreeBSD box is configured like this: ifconfig_XXX0=inet 192.168.0.102 netmask 255.255.255.0 defaultrouter=192.168.0.1 Now I have Internet connection on both computers. However, I can't get aMule and other apps that need port forwarding working on FreeBSD box. First, I tried to configure ADSL router (192.168.1.1) just to forward 4662 port to 192.168.0.102, doesn't work. Then, I tried this: 192.168.1.1 router: forward 4662 to 192.168.0.1 192.168.0.1 router: forward 4662 to 192.168.0.102 not working again. I have a feeling that I'm missing something very simple, but can't figure out what. (A note: before I acquired a wireless router, forwarding with one router was just working, with FreeBSD box configured as 192.168.1.101, so that side of things is ok. And, no, it's not possible to use just wireless router because I can't plug telephone wire in it.) Can anyone help me? Should I post more details? TIA, Jakub Port-forwarding through two NATs is something I've never had any success with. I have a few suggestions that have worked for me and my friends with this setup. A) Disable NAT on the ADSL router. I think the term is bridged mode. Turn it into a dumb box and shift all the NAT/firewall/routing responsibilities over to your wireless router. Depending on your ISP, the hardware, and the protocols involved, this may not be an option for you. B) Disable NAT on the wireless router. This allows it to be a simple switch and wireless access point. The price is that you're probably relying on the DHCP server in the wireless router for your wireless devices and you'll have to disable the DHCP when you disable NAT. This creates new problems to be solved. C) Plug the FreeBSD box into the ADSL router, skipping the wireless router. Your wireless devices will still be double-NATted, but if you're not running servers on them, you might be able to live with that. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Port forwarding behind two routers
B) Disable NAT on the wireless router. This allows it to be a simple switch and wireless access point. The price is that you're probably relying on the DHCP server in the wireless router for your wireless devices and you'll have to disable the DHCP when you disable NAT. This creates new problems to be solved. no problem. ADSL router can do DHCP for everything. C) Plug the FreeBSD box into the ADSL router, skipping the wireless router. Your wireless devices will still be double-NATted, but if you're not running servers on them, you might be able to live with that. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
SSH Port forwarding when PermitRootLogin==no ?
Hello, I'm (still) trying to work around a limitation I've encountered with a new service provider (cf. MTA on non-standard port). As root: # ssh -L 24:server:52525 server fails because root logins aren't permitted in /etc/sshd_config on the server. Also as root: # ssh -L 24:server:52525 [EMAIL PROTECTED] fails - an terminal session is established, but when I telnet localhost:24 I receive this in the terminal: channel 3: open failed: administratively prohibited: open failed I was kinda under the impression this should work, since the port on the remote server is a dynamic port. Any suggestions how I might get this to work? TIA, Kevin Kinsey ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH Port forwarding when PermitRootLogin==no ?
On Monday 27 October 2008 17:04:46 Kevin Kinsey wrote: Hello, I'm (still) trying to work around a limitation I've encountered with a new service provider (cf. MTA on non-standard port). As root: # ssh -L 24:server:52525 server fails because root logins aren't permitted in /etc/sshd_config on the server. Also as root: # ssh -L 24:server:52525 [EMAIL PROTECTED] fails - an terminal session is established, but when I telnet localhost:24 I receive this in the terminal: channel 3: open failed: administratively prohibited: open failed I was kinda under the impression this should work, since the port on the remote server is a dynamic port. Any suggestions how I might get this to work? I have the same problem with my ISP blocking port 25 inbound and outbound, so I use a DNS provider that will relay my email (email for a domain) to me on an alternate port. I don't recall how much this costs me but it is around $40 yearly. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH Port forwarding when PermitRootLogin==no ?
On Mon, Oct 27, 2008 at 12:04:46PM -0500, Kevin Kinsey wrote: Hello, I'm (still) trying to work around a limitation I've encountered with a new service provider (cf. MTA on non-standard port). As root: # ssh -L 24:server:52525 server fails because root logins aren't permitted in /etc/sshd_config on the server. I recently discussed how to deal with this in a manner that does not involve compromising root's security: 1) Make a public key on the machine you're doing ssh -L 24:server:52525 server from. Run ssh-keygen as root 2) Place contents of /root/.ssh/id_rsa.pub in /root/.ssh/authorized_keys on server. Make sure the /root/.ssh directory is perm 0700, and authorized_keys is perm 0600. 3) On server, edit /etc/ssh/sshd_config and change this line: #PermitRootLogin no ...to: PermitRootLogin without-password 4) Send a SIGHUP signal to the master sshd process. This might disconnect any existing SSH sessions to the machine: kill -HUP `cat /var/run/sshd.pid` If you're concerned about what without-password does, read the man page. It WILL NOT let people SSH into the root account, UNLESS they have the private key (on server). Also as root: # ssh -L 24:server:52525 [EMAIL PROTECTED] fails - an terminal session is established, but when I telnet localhost:24 I receive this in the terminal: channel 3: open failed: administratively prohibited: open failed No idea what the channel 3: open failed part means, but the latter likely implies firewalling rules of some kind on the local machine. -- | Jeremy Chadwickjdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB | ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH through port forwarding
On Tue, Dec 18, 2007 at 05:44:11AM -0500, Gerard Seibert wrote: On December 18, 2007 at 12:47AM sham khalil wrote: once you open port 22 to public ip, you'll get people try to bruteforce your machine. if you don't want that set sshd to listen to a higher number like 5522 then forward port 5522 from the router to the internal machines. unfortunately for wrt54g, you can't forward port 5522 to 22 for internal machine. Security through obscurity is a poor substitute for security. Port scanners will eventually find that port also. One needs something else for security against brute-force attempts, but changing the port number does help cut down on the amount of bandwidth consumption on the LAN side of your router by allowing the router to ignore/deny all incoming traffic on port 22. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Marvin Minsky: It's just incredible that a trillion-synapse computer could actually spend Saturday afternoon watching a football game. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH through port forwarding
On Tue, Dec 18, 2007 at 06:02:18AM +, Pollywog wrote: Make sure the ISP is not blocking port 22. If they block it, you will need to change the SSH port in sshd_config and then set the router to forward the port to the server's internal IP address. It's a good idea to change the port anyway, in order not to be obvious to script kiddies. You shouldn't have to change the port on which SSH listens on the FreeBSD machine. Just set up the router to forward from the higher port number on incoming requests to port 22 on the internal machine. It should be less work that way. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] MacUser, Nov. 1990: There comes a time in the history of any project when it becomes necessary to shoot the engineers and begin production. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH through port forwarding
Chad Perrin wrote: On Tue, Dec 18, 2007 at 05:44:11AM -0500, Gerard Seibert wrote: On December 18, 2007 at 12:47AM sham khalil wrote: once you open port 22 to public ip, you'll get people try to bruteforce your machine. if you don't want that set sshd to listen to a higher number like 5522 then forward port 5522 from the router to the internal machines. unfortunately for wrt54g, you can't forward port 5522 to 22 for internal machine. Security through obscurity is a poor substitute for security. Port scanners will eventually find that port also. One needs something else for security against brute-force attempts, but changing the port number does help cut down on the amount of bandwidth consumption on the LAN side of your router by allowing the router to ignore/deny all incoming traffic on port 22. Has denyhosts been considered? Brian ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH through port forwarding
On Fri, Dec 28, 2007 at 12:19:44PM -0800, Brian wrote: Chad Perrin wrote: On Tue, Dec 18, 2007 at 05:44:11AM -0500, Gerard Seibert wrote: On December 18, 2007 at 12:47AM sham khalil wrote: once you open port 22 to public ip, you'll get people try to bruteforce your machine. if you don't want that set sshd to listen to a higher number like 5522 then forward port 5522 from the router to the internal machines. unfortunately for wrt54g, you can't forward port 5522 to 22 for internal machine. Security through obscurity is a poor substitute for security. Port scanners will eventually find that port also. One needs something else for security against brute-force attempts, but changing the port number does help cut down on the amount of bandwidth consumption on the LAN side of your router by allowing the router to ignore/deny all incoming traffic on port 22. Has denyhosts been considered? It has been considered (and used) by me -- but I have no idea about the OP. -- CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] Larry Wall: A script is what you give the actors. A program is what you give the audience. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH through port forwarding
On December 18, 2007 at 12:47AM sham khalil wrote: On Dec 18, 2007 12:08 PM, Bill Campbell [EMAIL PROTECTED] wrote: On Mon, Dec 17, 2007, Andrew Falanga wrote: Hi, I'm having a difficult time working with my father to get the port forwarding working on his Linksys router to forward SSH requests to his FreeBSD machine at home. As near as we can figure, it's setup correctly. In case anyone here uses this router it is WRT54G and details (including a users manual) can be found at, http://www.linksys.com/servlet/Satellite?c=L_Product_C2childpagename=US%2FLayoutpagename=Linksys%2FCommon%2FVisitorWrappercid=1149562300349 . Now, I'm in Idaho and he's in NY (which does make things difficult). Is there any special tricks to setting up port forwarding for SSH? Probably should have checked this first, but I'm going to go look on the handbook too, just to see. It should Just Work(tm). I don't have one of those handy, but port forwarding is generally under the Advanced tab Linksys routers. It may be called Games or something like that. Forward port 22, ssh, to the internal IP and save the settings. Generally one should have a fixed internal IP for forwarding as DHCP assigned IP addresses may change. once you open port 22 to public ip, you'll get people try to bruteforce your machine. if you don't want that set sshd to listen to a higher number like 5522 then forward port 5522 from the router to the internal machines. unfortunately for wrt54g, you can't forward port 5522 to 22 for internal machine. Security through obscurity is a poor substitute for security. Port scanners will eventually find that port also. Have you checked to see if a firewall is set up that could be blocking the port? -- Gerard ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH through port forwarding
Security through obscurity is a poor substitute for security. Port scanners will eventually find that port also. Have you checked to see if a firewall is set up that could be blocking the port? Not a thorough check, but my father did turn off the firewall system on that linksys router. I believe he checked some box that basically opened up everything. I'm expecting that it's more likely what someone else said earlier that the ISP may be blocking it. I say this for two reasons: 1) When a connection attempt is made, the error I get is a time out not a refusal to connect. No pun intended but that smells, or should I say sniffs, of a firewall. 2) On a different system that I help build here in Boise, I'm getting the same problem when we set it up at my friends house. Andy -- A: Because it messes up the order in which people normally read text. Q: Why is it such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
SSH through port forwarding
Hi, I'm having a difficult time working with my father to get the port forwarding working on his Linksys router to forward SSH requests to his FreeBSD machine at home. As near as we can figure, it's setup correctly. In case anyone here uses this router it is WRT54G and details (including a users manual) can be found at, http://www.linksys.com/servlet/Satellite?c=L_Product_C2childpagename=US%2FLayoutpagename=Linksys%2FCommon%2FVisitorWrappercid=1149562300349. Now, I'm in Idaho and he's in NY (which does make things difficult). Is there any special tricks to setting up port forwarding for SSH? Probably should have checked this first, but I'm going to go look on the handbook too, just to see. Andy -- A: Because it messes up the order in which people normally read text. Q: Why is it such a bad thing? A: Top-posting. Q: What is the most annoying thing on usenet and in e-mail? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH through port forwarding
On Mon, Dec 17, 2007, Andrew Falanga wrote: Hi, I'm having a difficult time working with my father to get the port forwarding working on his Linksys router to forward SSH requests to his FreeBSD machine at home. As near as we can figure, it's setup correctly. In case anyone here uses this router it is WRT54G and details (including a users manual) can be found at, http://www.linksys.com/servlet/Satellite?c=L_Product_C2childpagename=US%2FLayoutpagename=Linksys%2FCommon%2FVisitorWrappercid=1149562300349. Now, I'm in Idaho and he's in NY (which does make things difficult). Is there any special tricks to setting up port forwarding for SSH? Probably should have checked this first, but I'm going to go look on the handbook too, just to see. It should Just Work(tm). I don't have one of those handy, but port forwarding is generally under the Advanced tab Linksys routers. It may be called Games or something like that. Forward port 22, ssh, to the internal IP and save the settings. Generally one should have a fixed internal IP for forwarding as DHCP assigned IP addresses may change. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 there is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order of things. Because the innovator has for enemies all those who have done well under the old conditions, and lukewarm defenders in those who may do well under the new. -- Machiavelli ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH through port forwarding
Make sure the ISP is not blocking port 22. If they block it, you will need to change the SSH port in sshd_config and then set the router to forward the port to the server's internal IP address. It's a good idea to change the port anyway, in order not to be obvious to script kiddies. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH through port forwarding
On Dec 18, 2007 12:08 PM, Bill Campbell [EMAIL PROTECTED] wrote: On Mon, Dec 17, 2007, Andrew Falanga wrote: Hi, I'm having a difficult time working with my father to get the port forwarding working on his Linksys router to forward SSH requests to his FreeBSD machine at home. As near as we can figure, it's setup correctly. In case anyone here uses this router it is WRT54G and details (including a users manual) can be found at, http://www.linksys.com/servlet/Satellite?c=L_Product_C2childpagename=US%2FLayoutpagename=Linksys%2FCommon%2FVisitorWrappercid=1149562300349 . Now, I'm in Idaho and he's in NY (which does make things difficult). Is there any special tricks to setting up port forwarding for SSH? Probably should have checked this first, but I'm going to go look on the handbook too, just to see. It should Just Work(tm). I don't have one of those handy, but port forwarding is generally under the Advanced tab Linksys routers. It may be called Games or something like that. Forward port 22, ssh, to the internal IP and save the settings. Generally one should have a fixed internal IP for forwarding as DHCP assigned IP addresses may change. once you open port 22 to public ip, you'll get people try to bruteforce your machine. if you don't want that set sshd to listen to a higher number like 5522 then forward port 5522 from the router to the internal machines. unfortunately for wrt54g, you can't forward port 5522 to 22 for internal machine. sham khalil ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Problem with Nat (port forwarding)
Hey all, I've been spending hours trying to figure out why my machine at the office (Linux), cannot connect to my FreeBSD (6.1) machine behind my nat'ed gateway. This was working fine previously before my linksys router decided to take a nose dive, so I am sure the Linux box that is attempting to establish the connection is configured fine. When the router crapped out, I decided to put all that old hardware I wasn't using for anything to good use. What I ended up with is a Pentium 3 200mhz machine with several network interfaces conncted to my internet provider (BellSouth). In order to continue working from home, it's necessary that I get this tunnel up and running, and for the life of me, I can't seem to figure out what exactly I'm doing wrong. Here is my current configuration: Gateway (FBSD 6.2) - IPFW / NATD - PPPoE Configuration for DSL (Works fine) -- nat# cat /etc/ppp/ppp.conf default: set log Phase Chat LCP IPCP CCP tun command ident user-ppp VERSION (built COMPILATIONDATE) set device PPPoE:xl0:pppoe-in enable lqr echo set cd 5 set dial set login set authname username set authkey pass set redial 0 0 enable dns set ifaddr 0.0.0.0/0 0.0.0.0/0 255.255.255.0 0.0.0.0 add default HISADDR The above creates the following device without problems: --- tun0: flags=8051UP,POINTOPOINT,RUNNING,MULTICAST mtu 1492 inet xx.xx.xx.xx -- xx.xx.xx.xx netmask 0xff00 Opened by PID 492 Natd configuration (Works fine w/ the exception of port forwarding) -- natd_enable=YES natd_flags=-dynamic -m -redirect_port tcp 10.5.21.246:5000 5000 natd_interface=tun0 IPFW RULES (works fine) -- nat# ipfw show 1 0 0 allow ip from any to any via lo0 2 0 0 deny ip from any to 127.0.0.0/8 3 0 0 deny ip from 127.0.0.0/8 to any 00050 6 444 allow ip from any to any via xl0 00051 10646 2950467 allow ip from any to any via fxp0 00052 1212 101901 allow ip from any to any via dc0 00053 534 261533 allow ip from any to any via rl0 00100 4316 2156348 divert 8668 ip from any to any in via tun0 00101 0 0 check-state 00150 1121 332120 skipto 500 udp from any to any out via tun0 keep-state 00160 5795 2319421 skipto 500 tcp from any to any out via tun0 setup keep-state 00170918551 skipto 500 icmp from any to any out via tun0 keep-state 00180 1013 87013 skipto 500 gre from any to any out via tun0 keep-state 00301 941 57268 allow tcp from any to 10.5.21.246 dst-port 5000 in via tun0 setup keep-state 00400 264 19399 deny log ip from any to any 00500 4182 622757 divert 8668 ip from any to any out via tun0 00501 8020 2747105 allow ip from any to any 65535444726 allow ip from any to any Do note, the interfaces housing the vtund application that I'm concerned with lives over the fxp0 interace. In addition rule number 00301 triggers appropriately when a packet destined for port 5000 is inbound. /var/log/security makes no mention of anything being denied by this firewall ruleset destined for or originating from port 5000 by any host. This is certainly the case, as the host where vtund is running is recieving packets from the gateway on port 5000 (info showing this follows). I also see the vtund box responding to the inbound packets, but it never creates the tunnel device as it should, and nothing gets logged. VTUND HOST -- IPFW RULES (NONE) - NETSTAT - nat# netstat -nat | fgrep 5000 tcp4 0 0 *.5000 *.*LISTEN IS IT LISTENING??? -- YES - nat# telnet 10.5.21.246 5000 Trying 10.5.21.246... Connected to work_machine. Escape character is '^]'. VTUN server ver 12/20/2006 TCPDUMP from destination machine(Packets are making it this far) - fileserv# tcpdump -i em0 port 5000 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em0, link-type EN10MB (Ethernet), capture size 68 bytes 01:18:16.831396 IP 10.5.21.246.commplex-main foreign_host.20342: S 2762324279:2762324279(0) ack 1110928859 win 65535 mss 1460,nop,wscale 1,nop,nop,timestamp[|tcp] 01:18:19.846872 IP foreign_host.20342 10.5.21.246.commplex-main: S 1110928858:1110928858(0) win 5840 mss 1380,sackOK,timestamp 116412145[|tcp] 01:18:19.846894 IP 10.5.21.246.commplex-main foreign_host.20342: S 2762324279:2762324279(0) ack 1110928859 win 65535 mss 1460,nop,wscale 1,nop,nop,timestamp[|tcp] 01:18:25.876180 IP 10.5.21.246.commplex-main foreign_host.20342: S 2762324279:2762324279(0) ack 1110928859 win 65535 mss 1460,nop,wscale 1,nop,nop,timestamp[|tcp] 01:18:31.912374 IP foreign_host.20342 10.5.21.246
AMD64 SSH Port Forwarding?
Has anybody noted any issues with port forwarding using SSH tunnels on FreeBSD 6.1 AMD64? I just recently upgraded my machine from i386 to amd64, using nearly all the same configuration files. Now, remotely, I make an SSH session to my machine and attempt to forward ports, as usual, and I find that all of these fail. The listener exists on localhost, but nothing is forwarded. Trying to connect to the localhost listener results in a connection, but no traffic. I can verify all services are running. For what its worth: FreeBSD 6.1-p6 AMD64 PF (same configuration as previous machine that worked) Ports - 25, 443, 3128 All above ports are active and functioning, but forwarding to them via a tunnel consistantly fails. Only changes are motherboard, CPU, memory and of course moved from i386 to amd64. The NICs, hard drives and cd/dvd drives all came from the old machine and are the same physical pieces of hardware. I have not been table to find any configuration changes that can account for this behavior and I find no record in the logs what-so-ever. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Port forwarding.
On Tue, Jan 24, 2006 at 06:41:27AM +0100, Daniel A. wrote: sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::20a:e6ff:fe53:fc1e%sis0 prefixlen 64 scopeid 0x2 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 ether 00:0a:e6:53:fc:1e media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::2b0:2ff:fe00:27f3%rl0 prefixlen 64 scopeid 0x3 inet 87.50.69.60 netmask 0xff80 broadcast 87.50.69.127 ether 00:b0:02:00:27:f3 media: Ethernet autoselect (100baseTX full-duplex) status: active I have been googling and reading ifconfig papers all day yesterday, in the search for how to do simple port-forwarding, but nothing have worked. So, this is my final resort: How would I forward the ports 9541 (TCP) and 9542 (UDP) to 192.168.0.2 on my LAN? /etc/ipnat.conf: rdr rl0 0/0 port 9541 - 192.168.0.2 port 9541 tcp rdr rl0 0/0 port 9542 - 192.168.0.2 port 9542 udp somewhere on top of file (before map). Also you need something like this in your /etc/ipf.rules: pass in quick on rl0 proto tcp from any to 192.168.0.2/32 port = 9541 keep state pass in quick on rl0 proto udp from any to 192.168.0.2/32 port = 9542 keep state ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Port forwarding.
Ah, thanks a lot! It finally works! *Does a happy dance* All the other guides to ipfilter / ipnat only listed changes to ONE of the files (either ipf.rules or ipnat.rules), and never mentioned putting the changes before mapping, even though they did cover that topic. On 1/24/06, Igor Robul [EMAIL PROTECTED] wrote: On Tue, Jan 24, 2006 at 06:41:27AM +0100, Daniel A. wrote: sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::20a:e6ff:fe53:fc1e%sis0 prefixlen 64 scopeid 0x2 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 ether 00:0a:e6:53:fc:1e media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::2b0:2ff:fe00:27f3%rl0 prefixlen 64 scopeid 0x3 inet 87.50.69.60 netmask 0xff80 broadcast 87.50.69.127 ether 00:b0:02:00:27:f3 media: Ethernet autoselect (100baseTX full-duplex) status: active I have been googling and reading ifconfig papers all day yesterday, in the search for how to do simple port-forwarding, but nothing have worked. So, this is my final resort: How would I forward the ports 9541 (TCP) and 9542 (UDP) to 192.168.0.2 on my LAN? /etc/ipnat.conf: rdr rl0 0/0 port 9541 - 192.168.0.2 port 9541 tcp rdr rl0 0/0 port 9542 - 192.168.0.2 port 9542 udp somewhere on top of file (before map). Also you need something like this in your /etc/ipf.rules: pass in quick on rl0 proto tcp from any to 192.168.0.2/32 port = 9541 keep state pass in quick on rl0 proto udp from any to 192.168.0.2/32 port = 9542 keep state ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Port forwarding.
Hello people, Just yesterday I got my first experience with ipfilter and ipnat. I followed this guide: http://www.bsdguides.org/guides/freebsd/networking/ipfilter.php to the point. ifconfig -a gives this output about the relevant NIC's: sis0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::20a:e6ff:fe53:fc1e%sis0 prefixlen 64 scopeid 0x2 inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 ether 00:0a:e6:53:fc:1e media: Ethernet autoselect (100baseTX full-duplex) status: active rl0: flags=8843UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST mtu 1500 options=8VLAN_MTU inet6 fe80::2b0:2ff:fe00:27f3%rl0 prefixlen 64 scopeid 0x3 inet 87.50.69.60 netmask 0xff80 broadcast 87.50.69.127 ether 00:b0:02:00:27:f3 media: Ethernet autoselect (100baseTX full-duplex) status: active I have been googling and reading ifconfig papers all day yesterday, in the search for how to do simple port-forwarding, but nothing have worked. So, this is my final resort: How would I forward the ports 9541 (TCP) and 9542 (UDP) to 192.168.0.2 on my LAN? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SSH Port Forwarding Specific IP
John Do [EMAIL PROTECTED] writes: If you have a FreeBSD computer with multiple IP addresses and you want an outside client to tunnel how can you force the tunnel to use a certain IP? Isn't the -b option for exactly that? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
SSH Port Forwarding Specific IP
If you have a FreeBSD computer with multiple IP addresses and you want an outside client to tunnel how can you force the tunnel to use a certain IP? Thanks! __ Find your next car at http://autos.yahoo.ca ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question about ipfw, natd and port forwarding.
Deling Ren [EMAIL PROTECTED]: Hi all, I am trying to setup a NAT box for my home network on freebsd 5.3. I am using ipfw and natd. I already got nat running but I am having problem with port forwarding. I am trying to forward port 80 on the nat box to an internal machine (192.168.0.7). I have the following as part of I have no problem connecting port 80 on the nat box from outside. But as I added stateful ipfw rules, it stops working. Running nmap from outside says port 80 is filtered. I am not sure how to configure the rules to enable port forwarding. Any help will be appreciated. Thanks. 5 allow ip from any to any via $iif This is a limitation of ipfw, nat cannot be used with keep-state rules. If $iif above is ppp you can get around this by configuring ppp(8) to perform nat. Jeff ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Question about ipfw, natd and port forwarding.
Deling Ren [EMAIL PROTECTED] writes: Hi all, I am trying to setup a NAT box for my home network on freebsd 5.3. I am using ipfw and natd. I already got nat running but I am having problem with port forwarding. I am trying to forward port 80 on the nat box to an internal machine (192.168.0.7). I have the following as part of natd_flags: -redirect_port tcp 192.168.0.7:80 xx.xx.xx.xx:80 where xx.xx.xx.xx is the external IP of the nat box. Using the following ipfw rules: 00050 divert 8668 ip from any to any via sis0 65535 allow ip from any to any I have no problem connecting port 80 on the nat box from outside. But as I added stateful ipfw rules, it stops working. Running nmap from outside says port 80 is filtered. I am not sure how to configure the rules to enable port forwarding. Any help will be appreciated. Thanks. Deling Here are my ipfw rules: 5 allow ip from any to any via $iif 00010 allow ip from any to any via lo0 00014 divert 8668 ip from any to any in via $oif 00015 check-state 00060 skipto 800 tcp from any to any out via $oif setup keep-state 00080 skipto 800 icmp from any to any out via $oif keep-state 00130 skipto 800 udp from any to any out via $oif keep-state 00340 allow icmp from any to me in via $oif keep-state 00360 allow tcp from any to any dst-port 80 in via $oif setup keep-state 00380 allow tcp from any to me dst-port 22 in via $oif setup limit src-addr 5 00400 deny log logamount 5 ip from any to any in via $oif 00450 deny log logamount 5 ip from any to any out via $oif 00800 divert 8668 ip from any to any out via $oif 00801 allow ip from any to any 00999 deny log logamount 5 ip from any to any Stateful rules are quite tricky in combination with address rewriting, because the state being saved won't match the packet after it's passed through the rewriting. This rule set seems to handle that by splitting the redirect rule into one for each direction, but I'd still look in that direction for the trouble. Try removing the log limits and seeing what happens when an HTTP packet gets dropped. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Question about ipfw, natd and port forwarding.
Hi all, I am trying to setup a NAT box for my home network on freebsd 5.3. I am using ipfw and natd. I already got nat running but I am having problem with port forwarding. I am trying to forward port 80 on the nat box to an internal machine (192.168.0.7). I have the following as part of natd_flags: -redirect_port tcp 192.168.0.7:80 xx.xx.xx.xx:80 where xx.xx.xx.xx is the external IP of the nat box. Using the following ipfw rules: 00050 divert 8668 ip from any to any via sis0 65535 allow ip from any to any I have no problem connecting port 80 on the nat box from outside. But as I added stateful ipfw rules, it stops working. Running nmap from outside says port 80 is filtered. I am not sure how to configure the rules to enable port forwarding. Any help will be appreciated. Thanks. Deling Here are my ipfw rules: 5 allow ip from any to any via $iif 00010 allow ip from any to any via lo0 00014 divert 8668 ip from any to any in via $oif 00015 check-state 00060 skipto 800 tcp from any to any out via $oif setup keep-state 00080 skipto 800 icmp from any to any out via $oif keep-state 00130 skipto 800 udp from any to any out via $oif keep-state 00340 allow icmp from any to me in via $oif keep-state 00360 allow tcp from any to any dst-port 80 in via $oif setup keep-state 00380 allow tcp from any to me dst-port 22 in via $oif setup limit src-addr 5 00400 deny log logamount 5 ip from any to any in via $oif 00450 deny log logamount 5 ip from any to any out via $oif 00800 divert 8668 ip from any to any out via $oif 00801 allow ip from any to any 00999 deny log logamount 5 ip from any to any ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
ipnat port forwarding froblem
Hi All, I have an ADSL router with some very basic Firewall connecting my internal network to the internet. I now want to give myself greater flexibility and protection and so I have been attempting to set a 3 homed host running a firewall with nat. This host needs to route packets between 2 further networks, 1 as a dmz and the other as a protected network, layout as follows: Internet | --- --| Router |-- --- 192.168.0.1 Min protected Net | 192.168.0.2 - dc0 --| Firewall |- 192.168.1.2 - dc1 192.168.2.2 - rl0 DMZ Net | Protected Net | I have tried using both ipfilter+ipnat and pf, and even tried OpenBSD, but always have the same problem that forwarding from the protected net and the dmz net to the internet fails (no route to host). My current configuration is using ipfilter+ipnat on FreeBSD 5.3 The firewall can reach the internet, dmz and protected net ok and sysctl -a reveals that net.inet.ip.forwarding=1 and also redirect=1. My ipnat rules are as folows: map dc0 192.168.2.0/24 - 192.168.0.2/32 portmap tcp/udp 1:2 map dc0 192.168.2.0/24 - 192.168.0.2/32 map dc0 192.168.1.0/24 - 192.168.0.2/32 portmap tcp/udp 20001:4 map dc0 192.168.1.0/24 - 192.168.0.2/32 In order to get this working I have my internal firewall open, so that it does not cause an issue. For now I just want to get this working using ipfilter+ipnat and when I know what the problem is I will try implementing it using pf. In the past I have had a firewall connecting to a ADSL modem using PPPoA running ipfw and natd on FreeBSD 4.8, but this is a different configuration. I am completely out of ideas, so all are welcome. Thanks in advance. Tim Preece. ___ ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
(Another) NATD/IPFW port forwarding problem
.oO( Internet )Oo. || || [DSL--] [ adsl router ] - No Nat [-] | | | | | | B A [WL---] [---BSD---] NAT - [ wireless router ] [ bsd box ] [-] [-] X | | | | | | | |___| Y [-WEB] [ web server + media ] [] IP Addresses: A: External IP 82.*.*.A B: External IP 82.*.*.B X: Internal IP 192.168.1.101 Y: Internal IP 192.168.1.100 ### External Connectivity ### WEB - WL - (DSL) - Internet [IP B] BSD - (DSL) - Internet [IP A] Require: Connection to A:80 forwarded to Y:80 ### Theoretical Solution ### Packet - [sourceip:port, destip:port] Packets IN [any:any, A:80] fwd/nat [A:80, X:80] [A:80, X:80] fwd/nat [X:80, Y:80] Packets OUT [Y:80, X:80] fwd/nat [X:80, A:80] [X:80, A:80] fwd/nat [A:80, any:any] ### Description ### Hiya, As you can hopefully see, i'm trying to port forward a connection to an external ip on my BSD be box to the internal ip address of a machine that sits behind a wireless router. Please advise as to whether my Theoretical Solution is indeed correct for this purpose. I've been playing around with NATD and IPFW for a while now, and just cannot get it to respond. Assuming my logic is correct, my problem seems to be translating it in to the require configs/rules for natd and ipfw. In an attempt to simplify the problem, i have set apache to run on all the IPs of the BSD box. A telnet to 82.*.*.A 80 gets an index file showing default, whereas a telnet to 192.168.1.101 80 gets an index file showing 192.168.1.101, the obvious trick being to get a telnet to 82.*.*.A to display 192.168.1.101 As this is failing badly too, i assume i am doing some really wrong. As you will see, i have a /29 external subnet but we're only really interested in 82.*.*.A rl0 - external NIC going to ADSL Router xl0 - internal NIC going to Wireless Router IP Connectivity between all hosts is fine Details are as follows: - rc.conf - defaultrouter=82.*.*.* hostname=XXX ifconfig_rl0=inet 82.*.*.* netmask 255.255.255.248 ifconfig_rl0_alias0=inet 82.*.*.A netmask 255.255.255.255 ifconfig_rl0_alias1=inet 82.*.*.* netmask 255.255.255.255 ifconfig_rl0_alias2=inet alias 82.*.*.* netmask 255.255.255.255 ifconfig_xl0=inet 192.168.1.101 netmask 255.255.255.0 ifconfig_xl0_alias0=inet 192.168.1.111 netmask 255.255.255.255 gateway_enable=YES natd_enable=YES natd_interface=rl0 natd_flags=-f /etc/natd.conf portmap_enable=YES firewall_enable=YES firewall_type=/etc/ipfw.rules/default firewall_quiet=NO - natd.conf - interface rl0 same_ports yes redirect_port tcp 192.168.1.101:80 80 - KERNAL - options IPFIREWALL options IPFIREWALL_DEFAULT_TO_ACCEPT options IPFILTER options IPFILTER_LOG options IPDIVERT Cheers for the help!!! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
[from newbies]: SSH port forwarding and Webmin
On July 12, 2004, Eddie [EMAIL PROTECTED] wrote: I have webmin installed on a brand new installation of FreeBSD 5.2.1. I tunnel port 1 to my localhost and connect to wemin like this: http://127.0.0.1:1 I always connect to webmin this way, with all *nix machines I admin. This does not seem to work with FreeBSD 5.2.1. It does work out of the box for other versions (4.7 and 4.8 at least) of FreeBSD though. Is there some rule somewhere preventing port forwarding in 5.2? Here's my netstat output: bsd3c# netstat -nat Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address(state) tcp4 0 0 192.168.1.19.22 69.91.145.220.46031 ESTABLISHED tcp4 0 0 127.0.0.1.25 *.*LISTEN tcp4 0 0 *.22 *.*LISTEN tcp6 0 0 *.22 *.*LISTEN tcp4 0 0 *.1*.*LISTEN udp4 0 0 *.1*.* udp4 0 0 *.514 *.* udp6 0 0 *.514 *.* webmin is running and listening on port 1 as it's supposed to, and I can connect to webmin on the localhost with links. The sshd config file gives no indication that tunneling is disabled, and it has not been modified in any way. I would be glad to hear what anyone's thoughts are on this. Eddie Hi Eddie, freebsd-newbies is not meant for technical questions nor replies. I'm forwarding this along to freebsd-questions. (You should be CC'ed on any replies...) My first thought is that maybe 5.2.1 uses a more restrictive ruleset for firewalling or that you specified a more restrictive ruleset in rc.conf (firewall_type, which is used by rc.firewall). You can view current rules with 'ipfw show'. Of course, this all assumes you've kept ipfw as the firewall. Also, I could be missing the obvious. (That's one of the reasons to not ask on -newbies...) Regards, Clayton _ MSN 9 Dial-up Internet Access helps fight spam and pop-ups now 2 months FREE! http://join.msn.click-url.com/go/onm00200361ave/direct/01/ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
NATD Port Forwarding question
Hi there, I am currently using FreeBSD 4.8-RELEASE. I do plan on upgrading to 5.2-CURRENT shortly but I know people who are using 5.2-CURRENT and are experiencing the same problem as me. If this email is not appropriate in this mailing list, could you please forward me to the correct one. Thank you. My problem: I am trying to use NATD to forward packets to machines on the internal network using the redirect_port command. I am specifically trying to connect to a Terminal Server on a Windows 2000 machine. It never seems to work for me. I am running natd using the following command: natd -f /etc/natd.conf with the following options in my natd.conf file. interface tun0 same_ports yes use_sockets yes unregistered_only redirect_port tcp 192.168.1.2:3389 3389 When I create an SSH tunnel using putty, that works fine. It is only when I try and use natd w/ port-forwarding that it doesn't work. I configure an extremely open firewall to ensure it is not my firewall causing the problems. The commands I use are: /sbin/ipfw -f flush /sbin/ipfw add 50 divert natd all from any to any via tun0 /sbin/ipfw add pass all from any to any If anybody could shine any light on this problem for me - it'd be greatly appreciated. I have been trying to resolve the problem on-and-off for months now to no avail. I finally decided I should try the mailing list. Thanks. Regards, Jon ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NATD Port Forwarding question
Is the system configured to accept remote desktop requests? Windows XP has it disabled by default. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - Original Message - From: Jon Kurjakovich [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 04, 2004 3:57 AM Subject: NATD Port Forwarding question Hi there, I am currently using FreeBSD 4.8-RELEASE. I do plan on upgrading to 5.2-CURRENT shortly but I know people who are using 5.2-CURRENT and are experiencing the same problem as me. If this email is not appropriate in this mailing list, could you please forward me to the correct one. Thank you. My problem: I am trying to use NATD to forward packets to machines on the internal network using the redirect_port command. I am specifically trying to connect to a Terminal Server on a Windows 2000 machine. It never seems to work for me. I am running natd using the following command: natd -f /etc/natd.conf with the following options in my natd.conf file. interface tun0 same_ports yes use_sockets yes unregistered_only redirect_port tcp 192.168.1.2:3389 3389 When I create an SSH tunnel using putty, that works fine. It is only when I try and use natd w/ port-forwarding that it doesn't work. I configure an extremely open firewall to ensure it is not my firewall causing the problems. The commands I use are: /sbin/ipfw -f flush /sbin/ipfw add 50 divert natd all from any to any via tun0 /sbin/ipfw add pass all from any to any If anybody could shine any light on this problem for me - it'd be greatly appreciated. I have been trying to resolve the problem on-and-off for months now to no avail. I finally decided I should try the mailing list. Thanks. Regards, Jon ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: NATD Port Forwarding question
Yes. It is a Windows 2000 Server machine that I can connect to both on the local network and via an SSH tunnel. It is simply to do with natd's port forwarding. I also cannot use port forwarding to access any other services on the 2000 Server box such as telnet or ftp for example. Any help is greatly appreciated. Rgds, Jon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Micheal Patterson Sent: Sunday, 4 July 2004 8:12 PM To: Jon Kurjakovich; [EMAIL PROTECTED] Subject: Re: NATD Port Forwarding question Is the system configured to accept remote desktop requests? Windows XP has it disabled by default. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. - Original Message - From: Jon Kurjakovich [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, July 04, 2004 3:57 AM Subject: NATD Port Forwarding question Hi there, I am currently using FreeBSD 4.8-RELEASE. I do plan on upgrading to 5.2-CURRENT shortly but I know people who are using 5.2-CURRENT and are experiencing the same problem as me. If this email is not appropriate in this mailing list, could you please forward me to the correct one. Thank you. My problem: I am trying to use NATD to forward packets to machines on the internal network using the redirect_port command. I am specifically trying to connect to a Terminal Server on a Windows 2000 machine. It never seems to work for me. I am running natd using the following command: natd -f /etc/natd.conf with the following options in my natd.conf file. interface tun0 same_ports yes use_sockets yes unregistered_only redirect_port tcp 192.168.1.2:3389 3389 When I create an SSH tunnel using putty, that works fine. It is only when I try and use natd w/ port-forwarding that it doesn't work. I configure an extremely open firewall to ensure it is not my firewall causing the problems. The commands I use are: /sbin/ipfw -f flush /sbin/ipfw add 50 divert natd all from any to any via tun0 /sbin/ipfw add pass all from any to any If anybody could shine any light on this problem for me - it'd be greatly appreciated. I have been trying to resolve the problem on-and-off for months now to no avail. I finally decided I should try the mailing list. Thanks. Regards, Jon ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: NATD Port Forwarding question
On Sun, Jul 04, 2004 at 06:57:16PM +1000, Jon Kurjakovich wrote: My problem: I am trying to use NATD to forward packets to machines on the internal network using the redirect_port command. I don't have a solution to your problem with natd, however net/rinetd (from ports) might be a good enough workaround if all else fails. Port: rinetd-0.62 Path: /usr/ports/net/rinetd Info: A simple TCP port redirector ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Configuring Port Forwarding behind PPPoE
Hello, I am currently using PPPoE on FreeBSD 5.2, I have a need to forward internet traffic on certain ports to a private IP address behind the box. How can this be accompished? For instance, inbound traffic arriving on public IP 205.242.192.20 port 21 needs to arrive to private IP 192.168.1.1 port 21 Thanks, JP __ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Configuring Port Forwarding behind PPPoE
Am Dienstag, 23. März 2004 22:26 schrieb JP: Hello, I am currently using PPPoE on FreeBSD 5.2, I have a need to forward internet traffic on certain ports to a private IP address behind the box. How can this be accompished? For instance, inbound traffic arriving on public IP 205.242.192.20 port 21 needs to arrive to private IP 192.168.1.1 port 21 How do you drive your PPPoE line? Netgraph with mpd and PF? Or user_ppp with ipfw? Or pppoed with IPFilter? There are too many combinations to guess. You should use the service which does the nat for you to do the redirection also. -Harry Thanks, JP __ Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] pgp0.pgp Description: signature
port forwarding and ip-less firewall
hello list! i want to ask some help on port forwarding in a bridge-firewall network. our network setup is: 1. the router is outside the firewall, direct to the internet. 2. the bridge-firewall computer (2 ethernet cards installed, eth0 - outside (router), eth1 - protected network) is between the router and the protected network. all the servers are behind the firewall and only opened the allowed ports. i have 2 mail servers (unit1.domain.com and unit2.domain.com) running on the protected network, unit1.domain.com is just an smtp relay for unit2.domain.com and its working fine. however, i want to put a rule (port forward) in firewall to forward request destined to unit2.domain.com (port 25), but that request should be first passed to unit1.domain.com (for antispam processing) before unit2. unit1 should then be the one to forward the request to unit2.domain.com. why i want to do this is that, some mails are getting through and received at unit2 without passing to unit1. in mx, unit1 is the 1st prio and unit2 is 2nd prio only. please help and give an idea on port forwarding rules between two servers within the protected network. thank you! edison cala ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: port forwarding and ip-less firewall
Really hard to help you when you do not post what firewall you are using and the nat rules you are using. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Edison Cala Sent: Wednesday, February 25, 2004 4:20 AM To: [EMAIL PROTECTED] Subject: port forwarding and ip-less firewall hello list! i want to ask some help on port forwarding in a bridge-firewall network. our network setup is: 1. the router is outside the firewall, direct to the internet. 2. the bridge-firewall computer (2 ethernet cards installed, eth0 - outside (router), eth1 - protected network) is between the router and the protected network. all the servers are behind the firewall and only opened the allowed ports. i have 2 mail servers (unit1.domain.com and unit2.domain.com) running on the protected network, unit1.domain.com is just an smtp relay for unit2.domain.com and its working fine. however, i want to put a rule (port forward) in firewall to forward request destined to unit2.domain.com (port 25), but that request should be first passed to unit1.domain.com (for antispam processing) before unit2. unit1 should then be the one to forward the request to unit2.domain.com. why i want to do this is that, some mails are getting through and received at unit2 without passing to unit1. in mx, unit1 is the 1st prio and unit2 is 2nd prio only. please help and give an idea on port forwarding rules between two servers within the protected network. thank you! edison cala ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: port forwarding and ip-less firewall
On Wed, Feb 25, 2004 at 05:19:35PM +0800, Edison Cala wrote: hello list! i want to ask some help on port forwarding in a bridge-firewall network. our network setup is: 1. the router is outside the firewall, direct to the internet. 2. the bridge-firewall computer (2 ethernet cards installed, eth0 - outside (router), eth1 - protected network) is between the router and the protected network. all the servers are behind the firewall and only opened the allowed ports. i have 2 mail servers (unit1.domain.com and unit2.domain.com) running on the protected network, unit1.domain.com is just an smtp relay for unit2.domain.com and its working fine. however, i want to put a rule (port forward) in firewall to forward request destined to unit2.domain.com (port 25), but that request should be first passed to unit1.domain.com (for antispam processing) before unit2. unit1 should then be the one to forward the request to unit2.domain.com. why i want to do this is that, some mails are getting through and received at unit2 without passing to unit1. in mx, unit1 is the 1st prio and unit2 is 2nd prio only. please help and give an idea on port forwarding rules between two servers within the protected network. thank you! edison cala I think this would normally be handled using a 'fwd' rule (man ipfw), but the manpage specifically states: A fwd rule will not match layer-2 packets (those received on ether_input, ether_output, or bridged). So, I'm not sure how you could implement this when using ipfw on a bridged interface. Nathan -- gpg --keyserver pgp.mit.edu --recv-keys D8527E49 pgp0.pgp Description: PGP signature
RE: port forwarding and IP-less firewall
hello again list! my firewall is setup in freebsd 4.5 and had not implemented nat. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Port Forwarding
James, I've configured my Win2k box to contact DNS directly, and both Direct Connect and VNC Server are running smoothly (port forwarding is being accomplished (per your suggestion) by natd.conf). I've set the firewall type to 'OPEN' (the Win2k client has ZoneAlarm protection of its own); this is truly the only sticking point. I'm under the impression that selecting 'SIMPLE' rather than 'OPEN' provides an additional layer of protection to the gateway by preventing certain spoofing attacks. Unfortunately, I seem unable to switch the firewall type without crippling my Win2k box's functionality. Perhaps I'll give it a go again sometime in the future. Here's a copy of the relevant files: //natd.conf unregistered_only interface rl0 use_sockets dynamic redirect_port tcp 192.168.0.2:5800 5800 redirect_port tcp 192.168.0.2:5900 5900 redirect_port tcp 192.168.0.2:412 412 redirect_port tcp 192.168.0.2:1412 1412 punch_fw 2000:50 //rc.conf gateway_enable=YES hostname=usha.dyndns.org ifconfig_rl0=DHCP ifconfig_rl1=inet 192.168.0.1 netmask 255.255.255.0 kern_securelevel_enable=NO firewall_enable=YES firewall_type=OPEN # firewall_type=SIMPLE firewall_quiet=NO natd_enable=YES natd_interface=rl0 natd_flags=-f /etc/natd.conf linux_enable=YES sendmail_enable=NO sshd_enable=YES -R James Earl wrote: If you want your gateway to forward DNS queries from your private network, you will probably have to run named to answer the DNS queries and forward them out to your ISP's name servers. You may also want to run a DHCP server. I don't believe ipfw has the forwarding capability your looking for in this case. You may want to get the DNS setup first, and then enable ipfw once you know that named is setup properly. As for the firewall rules, you'd probably just have to modify slightly the DNS related ones that already exist under SIMPLE. Instead of letting DNS queries in from the outside, you want to let DNS queries in from the inside. Let me know if you have any other questions, and I'll try to help. James On Mon, 2004-01-19 at 21:06, Rishi Chopra wrote: If I want the gateway to forward DNS queries (e.g. have the win2k box query the gateway for DNS requests) what do I need to do? What would the rule look like? James Earl wrote: On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: What I want to do: (1) Change firewall type from 'OPEN' to 'SIMPLE' and (2) Forward ports 412 and 5800 to my Win2k box. What I have: The setup is pictured below. IPFIREWALL_DEFAULT_TO_ACCEPT, IPDIVERT and IPFILTER are all enabled in my kernel config file, are also enabled. Rule-of-thumb advice about how best to secure a network is not necessary in this case (the Win2k box has its own firewall installed (ZoneAlarm) and I already know too much about security). ISP FreeBSD GatewayWin2k Box --rl0--rl1--- ALLDHCP 192.168.0.1 192.168.0.2 The problem: When I chenge the firewall type to SIMPLE from OPEN, the Win2k box can no longer query DNS and pings to the 192.168.0.1 address do not work. With the firewall type set to OPEN, there are no problems whatsoever. I am also new to the IPFW syntax. What I would like to know is: (1) the syntax for forwarding incomming connections from rl0 to rl1 (and ultimately to 192.168.0.2) and (2) whether the syntax for allowing connections to the outside network (such as DNS) is correct and if some other problem is preventing the win2k box from querying DNS when SIMPLE is enabled. The FreeBSD Handbook can describe port redirection using NAT better than I can: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html With the SIMPLE firewall rules, all your machines on your LAN should be able to establish connections. Make sure that you have your ISP's DNS servers IP's specified on the win2k machine, and also that your FreeBSD machines IP is setup as the default gateway in win2k. You shouldn't be able to ping the FreeBSD gateway from the win2k machine because of the FreeBSD gateway's firewall. Anther test... try accessing a machine out on the Internet using it's ip address and see if you get out. James ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Port Forwarding
If the variables for the 'SIMPLE' rules are setup properly, 'SIMPLE' should be no different than using 'OPEN' from your win2k's perspective. This is assuming you don't have a broken rc.firewall file. Looking at your original post, your sample was missing the 'onet' variable. # set these to your outside interface network and netmask and ip oif=rl0 onet=???.???.???.??? omask=255.255.255.0 -- make sure this is right!!! oip=me # set these to your inside interface network and netmask and ip iif=rl1 inet=192.168.0.1 imask=255.255.255.0 iip=192.168.0.1 Also, you shouldn't be using IPFIREWALL_DEFAULT_TO_ACCEPT in your kernel configuration. I use: options IPFIREWALL options IPFIREWALL_VERBOSE options IPDIVERT Also see IPFIREWALL_VERBOSE_LIMIT in the firewall section of the Handbook. IPFIREWALL_VERBOSE allows you to get helpfull information in /var/log/security. If you are having troubles with connectivity, look in /var/log/security to see if it shows what's being blocked and by what rule. Hope this helps. James On Thu, 2004-01-22 at 04:54, Rishi Chopra wrote: James, I've configured my Win2k box to contact DNS directly, and both Direct Connect and VNC Server are running smoothly (port forwarding is being accomplished (per your suggestion) by natd.conf). I've set the firewall type to 'OPEN' (the Win2k client has ZoneAlarm protection of its own); this is truly the only sticking point. I'm under the impression that selecting 'SIMPLE' rather than 'OPEN' provides an additional layer of protection to the gateway by preventing certain spoofing attacks. Unfortunately, I seem unable to switch the firewall type without crippling my Win2k box's functionality. Perhaps I'll give it a go again sometime in the future. Here's a copy of the relevant files: //natd.conf unregistered_only interface rl0 use_sockets dynamic redirect_port tcp 192.168.0.2:5800 5800 redirect_port tcp 192.168.0.2:5900 5900 redirect_port tcp 192.168.0.2:412 412 redirect_port tcp 192.168.0.2:1412 1412 punch_fw 2000:50 //rc.conf gateway_enable=YES hostname=usha.dyndns.org ifconfig_rl0=DHCP ifconfig_rl1=inet 192.168.0.1 netmask 255.255.255.0 kern_securelevel_enable=NO firewall_enable=YES firewall_type=OPEN # firewall_type=SIMPLE firewall_quiet=NO natd_enable=YES natd_interface=rl0 natd_flags=-f /etc/natd.conf linux_enable=YES sendmail_enable=NO sshd_enable=YES -R ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Port Forwarding
On Mon, 2004-01-19 at 21:04, Rishi Chopra wrote: No, those are the values in the file. I had posted a previous question to the list asking what the right values should be (my rl0 interface is configured via DHCP) - any ideas what I should put in this section? James Earl wrote: On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: Here's the rc.firewall file, with comments trimmed for formatting: [Ss][Ii][Mm][Pp][Ll][Ee]) # set these to your outside interface network and netmask and ip oif=rl0 omask=255.255.255.0 oip=me I'm assuming these aren't the real values you have in your actual rc.firewall. Maybe I shouldn't have been surprised to see 255.255.255.0 as your ISP's subnet mask... I'm not sure. I'm definitely not an expert. Is that in fact your ISP's subnet mask? James ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Port Forwarding
If you want your gateway to forward DNS queries from your private network, you will probably have to run named to answer the DNS queries and forward them out to your ISP's name servers. You may also want to run a DHCP server. I don't believe ipfw has the forwarding capability your looking for in this case. You may want to get the DNS setup first, and then enable ipfw once you know that named is setup properly. As for the firewall rules, you'd probably just have to modify slightly the DNS related ones that already exist under SIMPLE. Instead of letting DNS queries in from the outside, you want to let DNS queries in from the inside. Let me know if you have any other questions, and I'll try to help. James On Mon, 2004-01-19 at 21:06, Rishi Chopra wrote: If I want the gateway to forward DNS queries (e.g. have the win2k box query the gateway for DNS requests) what do I need to do? What would the rule look like? James Earl wrote: On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: What I want to do: (1) Change firewall type from 'OPEN' to 'SIMPLE' and (2) Forward ports 412 and 5800 to my Win2k box. What I have: The setup is pictured below. IPFIREWALL_DEFAULT_TO_ACCEPT, IPDIVERT and IPFILTER are all enabled in my kernel config file, are also enabled. Rule-of-thumb advice about how best to secure a network is not necessary in this case (the Win2k box has its own firewall installed (ZoneAlarm) and I already know too much about security). ISP FreeBSD GatewayWin2k Box --rl0--rl1--- ALLDHCP 192.168.0.1 192.168.0.2 The problem: When I chenge the firewall type to SIMPLE from OPEN, the Win2k box can no longer query DNS and pings to the 192.168.0.1 address do not work. With the firewall type set to OPEN, there are no problems whatsoever. I am also new to the IPFW syntax. What I would like to know is: (1) the syntax for forwarding incomming connections from rl0 to rl1 (and ultimately to 192.168.0.2) and (2) whether the syntax for allowing connections to the outside network (such as DNS) is correct and if some other problem is preventing the win2k box from querying DNS when SIMPLE is enabled. The FreeBSD Handbook can describe port redirection using NAT better than I can: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html With the SIMPLE firewall rules, all your machines on your LAN should be able to establish connections. Make sure that you have your ISP's DNS servers IP's specified on the win2k machine, and also that your FreeBSD machines IP is setup as the default gateway in win2k. You shouldn't be able to ping the FreeBSD gateway from the win2k machine because of the FreeBSD gateway's firewall. Anther test... try accessing a machine out on the Internet using it's ip address and see if you get out. James ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Port Forwarding
What I want to do: (1) Change firewall type from 'OPEN' to 'SIMPLE' and
(2) Forward ports 412 and 5800 to my Win2k box.
What I have: The setup is pictured below.
IPFIREWALL_DEFAULT_TO_ACCEPT, IPDIVERT and IPFILTER are all enabled in
my kernel config file, are also enabled. Rule-of-thumb advice about
how best to secure a network is not necessary in this case (the Win2k
box has its own firewall installed (ZoneAlarm) and I already know too
much about security).
ISP FreeBSD GatewayWin2k Box
--rl0--rl1---
ALLDHCP 192.168.0.1 192.168.0.2
The problem: When I chenge the firewall type to SIMPLE from OPEN, the
Win2k box can no longer query DNS and pings to the 192.168.0.1 address
do not work. With the firewall type set to OPEN, there are no problems
whatsoever. I am also new to the IPFW syntax.
What I would like to know is: (1) the syntax for forwarding incomming
connections from rl0 to rl1 (and ultimately to 192.168.0.2) and (2)
whether the syntax for allowing connections to the outside network (such
as DNS) is correct and if some other problem is preventing the win2k box
from querying DNS when SIMPLE is enabled.
Here's the rc.conf file:
gateway_enable=YES
hostname=usha.dyndns.org
ifconfig_rl0=DHCP
ifconfig_rl1=inet 192.168.0.1 netmask 255.255.255.0
kern_securelevel_enable=NO
firewall_enable=YES
firewall_type=OPEN
# firewall_type=SIMPLE
firewall_quiet=NO
natd_enable=YES
natd_interface=rl0
natd_flags=-f /etc/natd.conf
linux_enable=YES
sendmail_enable=NO
sshd_enable=YES
Here's the rc.firewall file, with comments trimmed for formatting:
[Ss][Ii][Mm][Pp][Ll][Ee])
# set these to your outside interface network and netmask and ip
oif=rl0
omask=255.255.255.0
oip=me
# set these to your inside interface network and netmask and ip
iif=rl1
inet=192.168.0.1
imask=255.255.255.0
iip=192.168.0.1
setup_loopback
# Stop spoofing
${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif}
${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif}
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from any to 10.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 172.16.0.0/12 via ${oif}
${fwcmd} add deny all from any to 192.168.0.0/16 via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets
${fwcmd} add deny all from any to 0.0.0.0/8 via ${oif}
${fwcmd} add deny all from any to 169.254.0.0/16 via ${oif}
${fwcmd} add deny all from any to 192.0.2.0/24 via ${oif}
${fwcmd} add deny all from any to 224.0.0.0/4 via ${oif}
${fwcmd} add deny all from any to 240.0.0.0/4 via ${oif}
# Network Address Translation.
# match the `deny' rule below.
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n ${natd_interface} ]; then
${fwcmd} add divert natd all from any to any
via ${natd_interface}
fi
;;
esac
# Stop RFC1918 nets on the outside interface
${fwcmd} add deny all from 10.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 172.16.0.0/12 to any via ${oif}
${fwcmd} add deny all from 192.168.0.0/16 to any via ${oif}
# Stop draft-manning-dsua-03.txt (1 May 2000) nets
${fwcmd} add deny all from 0.0.0.0/8 to any via ${oif}
${fwcmd} add deny all from 169.254.0.0/16 to any via ${oif}
${fwcmd} add deny all from 192.0.2.0/24 to any via ${oif}
${fwcmd} add deny all from 224.0.0.0/4 to any via ${oif}
${fwcmd} add deny all from 240.0.0.0/4 to any via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
${fwcmd} add pass tcp from any to ${oip} 25 setup
# Allow access to our DNS
${fwcmd} add pass tcp from any to ${oip} 53 setup
${fwcmd} add pass udp from any to ${oip} 53
${fwcmd} add pass udp from ${oip} 53 to any
# Allow access to our WWW
${fwcmd} add pass tcp from any to ${oip} 80 setup
# RejectLog all setup of incoming connections from the outside
${fwcmd} add deny log tcp from any to any in via ${oif} setup
# Allow setup of any other TCP connection
${fwcmd} add pass tcp from any to any setup
# Allow DNS queries out in the world
${fwcmd} add pass udp from ${oip} to any 53 keep-state
# Allow NTP queries out in the world
${fwcmd} add pass udp from ${oip} to any 123 keep-state
# Pass VNC and DC++ connections to 192.168.0.2
# ${fwcmd} add pass tcp from $oip to 192.168.0.2 412 setup
# ${fwcmd} add pass tcp from $oip to
Re: Port Forwarding
On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: What I want to do: (1) Change firewall type from 'OPEN' to 'SIMPLE' and (2) Forward ports 412 and 5800 to my Win2k box. What I have: The setup is pictured below. IPFIREWALL_DEFAULT_TO_ACCEPT, IPDIVERT and IPFILTER are all enabled in my kernel config file, are also enabled. Rule-of-thumb advice about how best to secure a network is not necessary in this case (the Win2k box has its own firewall installed (ZoneAlarm) and I already know too much about security). ISP FreeBSD GatewayWin2k Box --rl0--rl1--- ALLDHCP 192.168.0.1 192.168.0.2 The problem: When I chenge the firewall type to SIMPLE from OPEN, the Win2k box can no longer query DNS and pings to the 192.168.0.1 address do not work. With the firewall type set to OPEN, there are no problems whatsoever. I am also new to the IPFW syntax. What I would like to know is: (1) the syntax for forwarding incomming connections from rl0 to rl1 (and ultimately to 192.168.0.2) and (2) whether the syntax for allowing connections to the outside network (such as DNS) is correct and if some other problem is preventing the win2k box from querying DNS when SIMPLE is enabled. The FreeBSD Handbook can describe port redirection using NAT better than I can: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html With the SIMPLE firewall rules, all your machines on your LAN should be able to establish connections. Make sure that you have your ISP's DNS servers IP's specified on the win2k machine, and also that your FreeBSD machines IP is setup as the default gateway in win2k. You shouldn't be able to ping the FreeBSD gateway from the win2k machine because of the FreeBSD gateway's firewall. Anther test... try accessing a machine out on the Internet using it's ip address and see if you get out. James ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Port Forwarding
On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: Here's the rc.firewall file, with comments trimmed for formatting: [Ss][Ii][Mm][Pp][Ll][Ee]) # set these to your outside interface network and netmask and ip oif=rl0 omask=255.255.255.0 oip=me I'm assuming these aren't the real values you have in your actual rc.firewall. James ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Port Forwarding
No, those are the values in the file. I had posted a previous question to the list asking what the right values should be (my rl0 interface is configured via DHCP) - any ideas what I should put in this section? James Earl wrote: On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: Here's the rc.firewall file, with comments trimmed for formatting: [Ss][Ii][Mm][Pp][Ll][Ee]) # set these to your outside interface network and netmask and ip oif=rl0 omask=255.255.255.0 oip=me I'm assuming these aren't the real values you have in your actual rc.firewall. James -- Rishi Chopra http://www.ocf.berkeley.edu/~rchopra ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
NWN and port forwarding under FreeBSD 4.7
Anyone run NWN though a FreeBSD firewall/natd setup?
Been trying to get this running for over a week and starting to get very
frustrated with it. :(
Here is how my network is setup:
{internet} - [public ips 6-9] DC1 (Firewall) DC0 -[private ips 25-26] -
NWN server
Here are the techinal documents that I'm going off:
http://nwn.bioware.com/support/techfaq.html#03
http://members.cox.net/ctr2sprt/nwn/
http://www.shadow400.com/shadowgameworld/neverwinternights/server/nwn_linksy
s_help.htm
http://support.dlink.com/faq/view.asp?prod_id=1399#604
http://nwn.bioware.com/forums/viewtopic.html?topic=306921forum=56
http://nwn.bioware.com/forums/viewtopic.html?topic=309518forum=56sp=0
http://nwn.bioware.com/forums/viewtopic.html?topic=307939forum=56
Here is the setup I'm using
/etc/rc.firewall:
${fwcmd} add allow udp from 192.168.17.25 5121 to 216.177.89.34
27900 keep-state
${fwcmd} add allow udp from 192.168.17.25 5121 to 66.244.193.142
5121 keep-state
${fwcmd} add pass log tcp from any to any 5121
${fwcmd} add pass log udp from any to any 5121
${fwcmd} add pass log tcp from any to any 5122
${fwcmd} add pass log udp from any to any 5122
/etc/natd.conf:
redirect_port udp 192.168.17.25:6500 6500
redirect_port udp 192.168.17.25:27900 27900
redirect_port udp 192.168.17.25:28900 28900
redirect_port udp 192.168.17.25:29900 29900
redirect_port tcp 192.168.17.25:5120-5300 5120-5300
redirect_port udp 192.168.17.25:5120-5300 5120-5300
output of /var/log/security and `tcpdump -i dc1 -n port 5122 and port
5121`:
Jan 14 05:37:04 hydra last message repeated 10 times
Jan 14 06:10:14 hydra /kernel: ipfw: 900 Accept UDP 80.55.156.86:63420
63.231.238.226:5121 in via dc1
Jan 14 06:10:42 hydra last message repeated 5 times
Jan 14 06:12:34 hydra last message repeated 14 times
Jan 14 06:12:57 hydra last message repeated 3 times
Jan 14 09:58:55 hydra /kernel: ipfw: 900 Accept UDP 80.55.156.86:63791
63.231.238.226:5121 in via dc1
Jan 14 09:59:05 hydra /kernel: ipfw: 900 Accept UDP 80.55.156.86:63791
63.231.238.226:5121 in via dc1
Jan 14 17:12:51 hydra /kernel: ipfw: 900 Accept UDP 63.231.238.228:5121
66.244.193.142:5121 out via dc1
Jan 14 17:12:52 hydra /kernel: ipfw: 900 Accept UDP 63.231.238.228:5121
66.244.193.142:5121 out via dc1
tcpdump: listening on dc1
Jan 16 10:58:15 hydra /kernel: ipfw: 700 Accept UDP 63.231.238.226:5121
66.244.193.142:5121 out via dc1
Jan 16 10:58:16 hydra /kernel: ipfw: 700 Accept UDP 207.38.8.34:27900
192.168.17.25:5121 in via dc1
Jan 16 10:58:16 hydra /kernel: ipfw: 700 Accept UDP 207.38.8.34:27900
192.168.17.25:5121 out via dc0
Jan 16 10:58:16 hydra /kernel: ipfw: 700 Accept UDP 207.38.8.27:3669
63.231.238.226:5121 in via dc1
Jan 16 10:58:16 hydra /kernel: ipfw: 700 Accept UDP 207.38.8.27:3669
63.231.238.226:5121 in via dc1
Jan 16 10:58:16 hydra /kernel: ipfw: 700 Accept UDP 63.231.238.226:5121
66.244.193.142:5121 out via dc1
Jan 16 10:58:16 hydra /kernel: ipfw: 700 Accept UDP 207.38.8.27:3669
63.231.238.226:5121 in via dc1
Jan 16 10:58:16 hydra /kernel: ipfw: 700 Accept UDP 207.38.8.34:27900
192.168.17.25:5121 in via dc1
Jan 16 10:58:16 hydra /kernel: ipfw: 700 Accept UDP 207.38.8.34:27900
192.168.17.25:5121 out via dc0
It doesn't post to gamespy (the browser service so other people can see it)
and other people can not join from out side IP Addresses
Any ideas?
Regards,
Jack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Port forwarding
Hello,
I have been trying to get this working for days and am obviously doing
something wrong and was wondering if any Guru's out there could give a
little guidance. Basically I'm looking to run a game server behind a
FreeBSD firewall. Here is my setup:
{internet} - [public address] - Firewall - (internal address) Game
server
Lets say public address is 1.2.3.4 and private address is 192.168.17.25
port is 5122
In the /etc/rc.conf I set the firewall policy to OPEN and enabled natd, I
gave it the natd options of -f /etc/natd.conf... for ipnat I have that
set to NO (not sure what it does)
In the natd.conf file I have this:
redirect_port tcp 192.168.17.25:5122 5122
redirect_port udp 192.168.17.25:5122 5122
I restart natd and theatrically everything that hits 1.2.3.4 on port 5122
should be automatically redirected to 192.168.17.25 port 5122, right?
I have also tried this (since the public interface is aliases (has more than
one public address associated with it)):
redirect_port tcp 192.168.17.25:5122 1.2.3.4:5122
redirect_port udp 192.168.17.25:5122 1.2.3.4:5122
Which doesn't seem to work either. Any ideas?
Regards,
Jack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Port forwarding
Thanks for the reply.
I'm using the default 'rc.firewall' and in the /etc/rc.config I have it set
up to use OPEN.
From what I can tell, it looks like I'm passing everything by default...
here is a snip of the config (not all of the /etc/rc.firewall file, just the
OPEN parts)
[snip]
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n ${natd_interface} ]; then
${fwcmd} add 50 divert natd all from any to any via
${natd_interface}
fi
;;
esac
esac
[snip]
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
# bud
#${fwcmd} add count log tcp from any to any setup
#${fwcmd} add count log udp from any to any keep-state
# clients
# ${fwcmd} add allow tcp from any to 192.168.17.1 5121 keep-state
# ${fwcmd} add allow udp from any to 192.168.17.1 5121 keep-state
# ${fwcmd} add allow tcp from any to 192.168.17.25 5121 keep-state
# ${fwcmd} add allow udp from any to 192.168.17.25 5121 keep-state
# Gamespy
# ${fwcmd} add allow udp from 192.168.17.1 5121 to 216.177.89.34 27900
keep-state
# ${fwcmd} add allow udp from 192.168.17.1 5121 to 66.244.193.142 5121
keep-state
# ${fwcmd} add allow udp from 192.168.17.25 5121 to 216.177.89.34
27900 keep-state
# ${fwcmd} add allow udp from 192.168.17.25 5121 to 66.244.193.142
5121 keep-state
${fwcmd} add 65000 pass all from any to any
;;
'pass all from any to any' should do it right?
Regards,
Jack
-Original Message-
From: Ronnie Clark [mailto:[EMAIL PROTECTED]
Sent: Monday, January 12, 2004 8:14 PM
To: 'Budec'; 'FreeBSD-questions list'
Subject: RE: Port forwarding
Jack,
What do our firewall rules look like? Is there a rule to allow
5122 traffic
into the outside interface?
Just a thought,
Ron Clark
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Budec
Sent: Monday, January 12, 2004 7:50 PM
To: 'FreeBSD-questions list'
Subject: Port forwarding
Hello,
I have been trying to get this working for days and am obviously doing
something wrong and was wondering if any Guru's out there could give a
little guidance. Basically I'm looking to run a game server behind a
FreeBSD firewall. Here is my setup:
{internet} - [public address] - Firewall - (internal address) Game
server
Lets say public address is 1.2.3.4 and private address is
192.168.17.25 port
is 5122
In the /etc/rc.conf I set the firewall policy to OPEN and
enabled natd, I
gave it the natd options of -f /etc/natd.conf... for ipnat I have that
set to NO (not sure what it does)
In the natd.conf file I have this:
redirect_port tcp 192.168.17.25:5122 5122
redirect_port udp 192.168.17.25:5122 5122
I restart natd and theatrically everything that hits 1.2.3.4 on port 5122
should be automatically redirected to 192.168.17.25 port 5122, right?
I have also tried this (since the public interface is aliases
(has more than
one public address associated with it)):
redirect_port tcp 192.168.17.25:5122 1.2.3.4:5122
redirect_port udp 192.168.17.25:5122 1.2.3.4:5122
Which doesn't seem to work either. Any ideas?
Regards,
Jack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Port forwarding
: Ronnie Clark [mailto:[EMAIL PROTECTED]
Sent: Monday, January 12, 2004 9:01 PM
To: 'Budec'; 'FreeBSD-questions list'
Subject: RE: Port forwarding
Jack,
Well, a tcpdump trace should prove whether the traffic is pasing. Do you
have one?
Ron Clark
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Budec
Sent: Monday, January 12, 2004 8:15 PM
To: Ronnie Clark; 'Budec'; 'FreeBSD-questions list'
Subject: RE: Port forwarding
Thanks for the reply.
I'm using the default 'rc.firewall' and in the /etc/rc.config I
have it set
up to use OPEN.
From what I can tell, it looks like I'm passing everything by
default...
here is a snip of the config (not all of the /etc/rc.firewall
file, just the
OPEN parts)
[snip]
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n ${natd_interface} ]; then
${fwcmd} add 50 divert natd all from any
to any via
${natd_interface}
fi
;;
esac
esac
[snip]
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
# bud
#${fwcmd} add count log tcp from any to any setup
#${fwcmd} add count log udp from any to any keep-state
# clients
# ${fwcmd} add allow tcp from any to 192.168.17.1 5121 keep-state
# ${fwcmd} add allow udp from any to 192.168.17.1 5121 keep-state
# ${fwcmd} add allow tcp from any to 192.168.17.25 5121 keep-state
# ${fwcmd} add allow udp from any to 192.168.17.25 5121 keep-state
# Gamespy
# ${fwcmd} add allow udp from 192.168.17.1 5121 to
216.177.89.34 27900
keep-state
# ${fwcmd} add allow udp from 192.168.17.1 5121 to
66.244.193.142 5121
keep-state
# ${fwcmd} add allow udp from 192.168.17.25 5121 to 216.177.89.34
27900 keep-state
# ${fwcmd} add allow udp from 192.168.17.25 5121 to 66.244.193.142
5121 keep-state
${fwcmd} add 65000 pass all from any to any
;;
'pass all from any to any' should do it right?
Regards,
Jack
-Original Message-
From: Ronnie Clark [mailto:[EMAIL PROTECTED]
Sent: Monday, January 12, 2004 8:14 PM
To: 'Budec'; 'FreeBSD-questions list'
Subject: RE: Port forwarding
Jack,
What do our firewall rules look like? Is there a rule to allow 5122
traffic into the outside interface?
Just a thought,
Ron Clark
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Budec
Sent: Monday, January 12, 2004 7:50 PM
To: 'FreeBSD-questions list'
Subject: Port forwarding
Hello,
I have been trying to get this working for days and am obviously doing
something wrong and was wondering if any Guru's out there could give a
little guidance. Basically I'm looking to run a game server behind a
FreeBSD firewall. Here is my setup:
{internet} - [public address] - Firewall - (internal address) Game
server
Lets say public address is 1.2.3.4 and private address is
192.168.17.25 port is 5122
In the /etc/rc.conf I set the firewall policy to OPEN and enabled
natd, I gave it the natd options of -f /etc/natd.conf... for ipnat
I have that set to NO (not sure what it does)
In the natd.conf file I have this:
redirect_port tcp 192.168.17.25:5122 5122
redirect_port udp 192.168.17.25:5122 5122
I restart natd and theatrically everything that hits 1.2.3.4 on port
5122 should be automatically redirected to 192.168.17.25 port 5122,
right?
I have also tried this (since the public interface is aliases (has
more than one public address associated with it)):
redirect_port tcp 192.168.17.25:5122 1.2.3.4:5122
redirect_port udp 192.168.17.25:5122 1.2.3.4:5122
Which doesn't seem to work either. Any ideas?
Regards,
Jack
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
[EMAIL PROTECTED]
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: NATD Port Forwarding Problems
Hi, Hi all...I'm at a dead end here. I'm trying to setup my firewall/nat box to forward requests on externalIP:portA to internalPC:portB. I put 'natd_flags=-redirect_port tcp 1internalPC:portB portA ' in my rc.conf file, and I have the following three statements in my rc.firewall script: ipfw add divert 8668 all from any to any via $EXTERNAL_INTERFACE ipfw add pass all from $LOCALNET_1 to any via $EXTERNAL_INTERFACE out ipfw add pass all from any to $LOCALNET_1 via $EXTERNAL_INTERFACE in Hmmm my first thought is the line: ipfw add pass all from $LOCALNET_1 to any via $EXTERNAL_INTERFACE out ... wouldn't the outgoing internal packets be going via an internal interface first?... are they allowed out properly somewhere else in your rulebase? If that's not it, my suggestion would be to temporarily switch on logging against those two pass rules for the internal host, any deny rules you have and if you don't have one already, a generic logging deny all as a final rule. These logs should tell you whether any traffic is being blocked and give an indication as to whether the nat is working properly. If your site is too busy to grab that much logging then as an alternative you could switch to a completely open ruleset (with NAT enabled) and this would allow you to tell whether it's the firewall rulebase or not. Phil. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
NATD Port Forwarding Problems
Hi all...I'm at a dead end here. I'm trying to setup my firewall/nat box to forward requests on externalIP:portA to internalPC:portB. I put 'natd_flags=-redirect_port tcp 1internalPC:portB portA ' in my rc.conf file, and I have the following three statements in my rc.firewall script: ipfw add divert 8668 all from any to any via $EXTERNAL_INTERFACE ipfw add pass all from $LOCALNET_1 to any via $EXTERNAL_INTERFACE out ipfw add pass all from any to $LOCALNET_1 via $EXTERNAL_INTERFACE in But when I try to connect, nothing happens. Any ideas anyone? Thanks, --Brian ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
NAT Port Forwarding with PPPoE won't work
Hey All--- I need some help, I'm trying to forward ports 5800-6000 on a PPPoE broadband connection to allow a program called VNC to work. I have tried everything but it seems to fail. I know VNC is working fine as I can do a telnet localhost 5800 and it works from the local box. But from outside the LAN no go. Here is my ppp.conf file, and rc.conf please let me know what I'm doing wrong. Thanks! JP BEGIN PPP.CONF default: set device PPPoE:rl0 set MRU 1490 set MTU 1490 set authname xxx set authkey xxx set log Phase tun command set dial set login set ifaddr 10.0.0.1/0 10.0.0.2/0 add default HISADDR nat enable yes nat port tcp 192.168.1.1:5800-5950 5800-5950 nat port udp 192.168.1.1:5800-5950 5800-5950 nat log yes set cd off set crtscts off set redial 0 0 END PPP.CONF- BEGIN rc.conf- gateway_enable=YES hostname=.. #ifconfig_rl0=DHCP ifconfig_ed0=inet 192.168.1.254 netmask 255.255.255.0 inetd_enable=YES kern_securelevel_enable=NO keyrate=fast moused_enable=YES moused_port=/dev/cuaa0 moused_type=microsoft saver=logo sendmail_enable=YES enable_quotas=YES check_quotas=YES sshd_enable=YES usbd_enable=YES ppp_enable=YES ppp_mode=ddial ppp_nat=YES ppp_profile=default #firewall_enable=YES natd_enable=YES natd_interface=tun0 natd_flags=-redirect_port tcp 192.168.1.1:5800-6000 5800-6000 -redirect_port udp 192.168.1.1:5800-6000 5800-6000 end __ Do you Yahoo!? Yahoo! Calendar - Free online calendar with sync to Outlook(TM). http://calendar.yahoo.com ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
how to do port forwarding
Greetings, I have a firewall running 4.7-stable. It has ipftable, and nat. It is my firewall for my home lan. I am wanting to play a game with friends on the internet. I also want to host a multiplayer game on my machine. How do I setup the firewall to forward port 5310 to my windows 2000 pc (the game machine) ? a pointer to a tutorial would be just fine, if appropriate. thanks, Darryl To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: how to do port forwarding
On Wed, Mar 19, 2003 at 09:53:05AM -0600, Darryl Hoar wrote: Greetings, I have a firewall running 4.7-stable. It has ipftable, and nat. It is my firewall for my home lan. I am wanting to play a game with friends on the internet. I also want to host a multiplayer game on my machine. How do I setup the firewall to forward port 5310 to my windows 2000 pc (the game machine) ? a pointer to a tutorial would be just fine, if appropriate. Check out the NAT section in the handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/natd.html You will be particularly interested in the redirect_port option. HTH Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: how to do port forwarding
[EMAIL PROTECTED] wrote: Greetings, I have a firewall running 4.7-stable. It has ipftable, and nat. It ^ hmmm.. You want to have a look at rdr in man (5) ipnat is my firewall for my home lan. I am wanting to play a game with friends on the internet. I also want to host a multiplayer game on my machine. How do I setup the firewall to forward port 5310 to my windows 2000 pc (the game machine) ? a pointer to a tutorial would be just fine, if appropriate. thanks, Darryl To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: how to do port forwarding
Darryl Hoar wrote: Greetings, I have a firewall running 4.7-stable. It has ipftable, and nat. It is my firewall for my home lan. I am wanting to play a game with friends on the internet. I also want to host a multiplayer game on my machine. How do I setup the firewall to forward port 5310 to my windows 2000 pc (the game machine) ? a pointer to a tutorial would be just fine, if appropriate. I always thought the man page for natd was pretty descriptive. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
On Saturday, March 15, 2003, at 03:06 am, Bill Moran wrote: Matthew Ryan wrote: On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't route out is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? I don't fully understand the question. What exactly do you mean by from home? Is the mail server behind the firewall? You can port forward/reroute just about anything to anywhere, with enough time and patience. But there's not enough information in the statement you just made for anyone to help you much. sorry, i'll try to be more explicit. I have a number of services on ports forwarded from my external IP address to an internal IP address via NAT as we have discussed. The problem is that I can not access these services from inside nat. Example - My mail server address resolves to my external IP number. It's primarily a mobility issue. From inside NAT I can't collect my mail unless I specifically point my browser at the internal IP number of my mail server. Yes I can get around this with some sort of client location manager or by connecting to the internet via a route other than my LAN, but none of these options are ideal. I am hoping for a routing solution, and I am pleased to read your comforting words: You can port forward/reroute just about anything to anywhere, with enough time and patience. Lowell Gilbert suggests running local DNS (thanks) but I have no experience of DNS and I had other areas of learning in mind for the moment. Can anyone think of another solution? Thanks again Matthew Ryan [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Matthew Ryan wrote: On Saturday, March 15, 2003, at 03:06 am, Bill Moran wrote: Matthew Ryan wrote: On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't route out is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? I don't fully understand the question. What exactly do you mean by from home? Is the mail server behind the firewall? You can port forward/reroute just about anything to anywhere, with enough time and patience. But there's not enough information in the statement you just made for anyone to help you much. sorry, i'll try to be more explicit. I have a number of services on ports forwarded from my external IP address to an internal IP address via NAT as we have discussed. The problem is that I can not access these services from inside nat. Example - My mail server address resolves to my external IP number. It's primarily a mobility issue. From inside NAT I can't collect my mail unless I specifically point my browser at the internal IP number of my mail server. Yes I can get around this with some sort of client location manager or by connecting to the internet via a route other than my LAN, but none of these options are ideal. I understand. I don't know if there is any ideal solution, but I'll offer a few suggestions. You may be able to run a second instance of natd that works on the internal interface and redirects traffic as you would like. This would be experimental: I have no idea if it would work and only a guess as to how to configure it. You could also put an alias IP address on the internal machine and manipulate the routing so it always goes the right place. This will probably be tricky, and each time I try to work it out in my head, I end up with a problem. But I suppose it's worth a try. (warning: you could effectively shut your network down by doing this wrong!) I am hoping for a routing solution, and I am pleased to read your comforting words: You can port forward/reroute just about anything to anywhere, with enough time and patience. Well ... sometimes it takes a LOT of time an patience ... Lowell Gilbert suggests running local DNS (thanks) but I have no experience of DNS and I had other areas of learning in mind for the moment. Unfortunately for you, I think running internal DNS is the closest to ideal that you're going to get. The basic concept is that outside on the internet, mail.domain.com resolves to the external interface that is forwarded to your internal machine. Inside your LAN, a custom DNS server answers your queries, and it points mail.domain.com directly to the machine on the local LAN. Thus, you only need put mail.domain.com into your POP3 config and it always points to the right place. I've also heard that newer versions of BIND have a more elegant way of doing the same thing, but I don't have any experience with that yet. Can anyone think of another solution? So far, only the other idea I describe above. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Matthew Ryan [EMAIL PROTECTED] writes: On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't route out is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? Sure. Use the inside IP address of the server. You can run your own DNS server to make this easy. I do this with my home network; I run it on the same machine as the mail server, and the DNS isn't accessible from outside the home network. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Port Forwarding FreeBSD 4.7_Release
Hi there, I've been trying to route packets received on port via the external interface (used by NAT) of my FreeBSD gateway to the same port on a local machine. The manual would seem to make this simple stuff - I have added the following line to /etc/rc.conf: natd_flags=-redirect_port tcp 192.168.1.241: accessing this service on the local machine via the local address is fine but a port scan from the outside, reveals that the relevant ports appear closed still. Needless to say - the service is unavailable. I have tried entering the following on the command line (with and without the /etc/rc.conf flag): natd -redirect_port tcp 192.168.1.241: but here's what i get: natd: aliasing address not given I have tried adding the external address as follows but to no avail: natd -redirect_port tcp 192.168.1.241: XXX.XXX.XXX.XXX: To avoid confusion I am running with an open firewall - rules below: gatewayb# ipfw list 00050 divert 8668 ip from any to any via ep0 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any I have read quite a few mails from people finding the same problem but not yet found an answer. My guess is that I am missing something simple but i've been banging away at this for a while now and no joy. Any advice would be appreciated. Thanks Matthew Ryan [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
On Fri, Mar 14, 2003 at 10:30:28AM +, Matthew Ryan wrote: Hi there, I've been trying to route packets received on port via the external interface (used by NAT) of my FreeBSD gateway to the same port on a local machine. The manual would seem to make this simple stuff - I have added the following line to /etc/rc.conf: natd_flags=-redirect_port tcp 192.168.1.241: accessing this service on the local machine via the local address is fine but a port scan from the outside, reveals that the relevant ports appear closed still. Needless to say - the service is unavailable. I have tried entering the following on the command line (with and without the /etc/rc.conf flag): natd -redirect_port tcp 192.168.1.241: but here's what i get: natd: aliasing address not given That's because natd can't determine which interface it should use for aliasing. Try specifying it with the -n flag: # natd -n xl0 -redirect... Replace xl0 with whatever your external interface is. HTH, Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Thanks Dan Unfortunately that doesn't seem to work either. I get this when I enter on the command line: natd -n ep0 -redirect_port tcp 192.168.1.241: natd: Unable to create divert socket.: Operation not permitted and no results using the following in /etc/rc.conf: natd_flags=-n ep0 -redirect_port tcp 192.168.1.241: By the way, the interface is specified already in /etc/rc.conf as follows?: natd_interface=ep0 any other ideas? Ta Matthew Ryan [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Daniel Bye wrote: On Fri, Mar 14, 2003 at 10:30:28AM +, Matthew Ryan wrote: natd -redirect_port tcp 192.168.1.241: but here's what i get: natd: aliasing address not given That's because natd can't determine which interface it should use for aliasing. Try specifying it with the -n flag: # natd -n xl0 -redirect... Replace xl0 with whatever your external interface is. Use the natd_interface=xl0 syntax in /etc/rc.conf to add this to the startup procedure. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
On Fri, Mar 14, 2003 at 01:07:42PM +, Matthew Ryan wrote: Thanks Dan Unfortunately that doesn't seem to work either. Rats! I get this when I enter on the command line: natd -n ep0 -redirect_port tcp 192.168.1.241: natd: Unable to create divert socket.: Operation not permitted Silly question, I'm almost blushing to ask - you are running the command as root, yes? and no results using the following in /etc/rc.conf: natd_flags=-n ep0 -redirect_port tcp 192.168.1.241: By the way, the interface is specified already in /etc/rc.conf as follows?: natd_interface=ep0 This will ensure it's picked up at boot time, as Bill stated, but won't affect the stuff you do on the commandline. any other ideas? If it's not because you are running as a non-root user, no, not really. Ta Matthew Ryan [EMAIL PROTECTED] -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Daniel Bye wrote: On Fri, Mar 14, 2003 at 01:07:42PM +, Matthew Ryan wrote: Thanks Dan Unfortunately that doesn't seem to work either. Rats! I get this when I enter on the command line: natd -n ep0 -redirect_port tcp 192.168.1.241: natd: Unable to create divert socket.: Operation not permitted Silly question, I'm almost blushing to ask - you are running the command as root, yes? Also ... are you sure that: a) You have your kernel configured with IPDIVERT? The GENERIC kernel does _not_. b) natd isn't already running with different options when you try to start it on the command line? and no results using the following in /etc/rc.conf: natd_flags=-n ep0 -redirect_port tcp 192.168.1.241: By the way, the interface is specified already in /etc/rc.conf as follows?: natd_interface=ep0 This is redundant. You can remove the -n ep0 from natd_flags. any other ideas? I don't know _whats_ wrong. But I've got this running in two places with no problems. It works just fine, and as far as I can see, the syntax you're using is correct, so I wouldn't focus on that. Let us know what you find when you check the suggestions I made ... I have other suggestions if those don't help. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Bill and Dan, Thanks for your help guys it's sort of working now but for the record here's the story. All attempts to start port forwarding from the command line were failing because NATD was already running (enabled at boot time) DOH! b) natd isn't already running with different options when you try to start it on the command line? Well spotted Bill! The /etc/rc.conf entry: natd_flags=-redirect_port tcp 192.168.1.241: was fine since: natd_interface=ep0 specified the interface. All in all I just should have posted the whole of my /etc/rc.conf in the first place. Sorry about that. The real irony is that it was working all along!! I just didn't know because i was trying to access the service on the external IP address of my router from an internal IP address. When I tried to access it via. my other connection (in effect from outside) everything worked fine. I'm sure that there is some reasonable explanation for this to do with the way that NAT operates but I can't figure it out. Any clues? Thanks Again Matthew Ryan [EMAIL PROTECTED] Daniel Bye wrote: On Fri, Mar 14, 2003 at 01:07:42PM +, Matthew Ryan wrote: Thanks Dan Unfortunately that doesn't seem to work either. Rats! I get this when I enter on the command line: natd -n ep0 -redirect_port tcp 192.168.1.241: natd: Unable to create divert socket.: Operation not permitted Silly question, I'm almost blushing to ask - you are running the command as root, yes? Also ... are you sure that: a) You have your kernel configured with IPDIVERT? The GENERIC kernel does _not_. b) natd isn't already running with different options when you try to start it on the command line? and no results using the following in /etc/rc.conf: natd_flags=-n ep0 -redirect_port tcp 192.168.1.241: By the way, the interface is specified already in /etc/rc.conf as follows?: natd_interface=ep0 This is redundant. You can remove the -n ep0 from natd_flags. any other ideas? I don't know _whats_ wrong. But I've got this running in two places with no problems. It works just fine, and as far as I can see, the syntax you're using is correct, so I wouldn't focus on that. Let us know what you find when you check the suggestions I made ... I have other suggestions if those don't help. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message Matthew Ryan [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Bill Moran [EMAIL PROTECTED] writes: Matthew Ryan wrote: The /etc/rc.conf entry: natd_flags=-redirect_port tcp 192.168.1.241: was fine since: natd_interface=ep0 specified the interface. All in all I just should have posted the whole of my /etc/rc.conf in the first place. Sorry about that. The real irony is that it was working all along!! I just didn't know because i was trying to access the service on the external IP address of my router from an internal IP address. When I tried to access it via. my other connection (in effect from outside) everything worked fine. I'm sure that there is some reasonable explanation for this to do with the way that NAT operates but I can't figure it out. Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't route out is that they are addressed to the router, so it doesn't bother to forward them outside. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't route out is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? Ta Matthew Ryan [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Matthew Ryan wrote: On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't route out is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? I don't fully understand the question. What exactly do you mean by from home? Is the mail server behind the firewall? You can port forward/reroute just about anything to anywhere, with enough time and patience. But there's not enough information in the statement you just made for anyone to help you much. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
natd port forwarding acting wierd
Hi I finally got natd and ipforwading set up but have a slight problem I don't understand. The IP forwarding works from the internet, through the cable modem and through the freeBSD router I set up for my internal network, to a www server on the private lan. I can't connect to my server however from my local net using the ip of the external net. I was asking some folks I know for help.. when they told me what the page had on it... so it was working for them on their systems from various places around the country.. but still gives me a connection refused when going from a local machine. I gave them the ip my ISP gives me.. and it worked.. I try the same IP and it doesn't work from my 192.168.0.* box, which by the way is the same box with the www server on it I am trying to connect to. ( I can connect to it using the local ip and machine name, but that's not the point ) ;) Does anyone have any ideas as to why this is happening? Thanks in advance. :) WillyB To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: natd port forwarding acting wierd
On Thu, Jan 16, 2003 at 01:49:08AM -0700, WillyB wrote:
I finally got natd and ipforwading set up but have a slight problem I
don't understand.
The IP forwarding works from the internet, through the cable modem and
through the freeBSD router I set up for my internal network, to a www
server on the private lan.
I can't connect to my server however from my local net using the ip of
the external net.
If you're following the way natd is setup in /etc/rc.firewall, viz
this chunk of code:
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n ${natd_interface} ]; then
${fwcmd} add 50 divert natd all from any to any via
${natd_interface}
fi
;;
esac
esac
notice that the rule to divert packets into natd only selects packets
that traverse the external interface (${natd_interface} in
/etc/rc.conf) of your gateway machine. Packets from your internal
(192.168.0.0/24) network will not pass through that interface even if
they are destined for your nat'ed address, so they won't hit the
divert rule and they won't get nat'ed.
Now, you might think that the obvious answer is just to drop the 'via
${natd_interface}' part of the divert rule, so that all packets
passing across your gateway machine pass through nat'ing.
Unfortunately, this will fail to work --- apart from the fact that it
will probably screw things up by trying to nat packets going via the
loopback interface and all sorts of other unintended consequences,
your original aim of being able to access your internal server as if
you were coming from outside your net still won't work.
What happens is this:
You send a packet to the NAT address on your gateway.
The modified firewall rules pass the packet through the divert socket
to natd, which rewrites the destination address to be that of your
internal server. Nb. the *source* address in the packet is left
untouched.
The packet is then sent across your internal network to your server.
The server deals with it as normal, and generates a response packet
back to the *original sender*, with it's own address as the source.
That happens to be to a machine on the local network, so the response
packet gets delivered straight there. Normally, the response packet
would be to a remote network and the packet would have to pass through
your gateway to get there, thus giving the natd machinery the chance
to process it, and replace the sender address with the nat address.
Now, the original machine is expecting to have a tcp conversation with
a machine using your nat address. Unfortunately the packets it
receives in response appear to come from some machine on your local
net. In order to preserve sanity it ignores those packets and keeps
listening out for the expected response from the place it sent the
packets to. Eventually it all times out and everybody gives up in
disgust.
There are two possible solutions to this problem.
i) Split Horizon. Usually implemented in terms of DNS, but you
can fudge the issue using /etc/hosts on your internal machines if
that's easier for you. All this does is arrange things so that a
lookup for www.mysite.com returns the address of the server on the
internal network when looked up from inside, and the address of
the nat gateway when looked up from outside.
ii) Reverse Proxy. Instead of accessing your internal server via
a NAT gateway, set up a web proxy on your gateway machine. Unlike
a normal web proxy, instead of grabbing web pages from out on the
net for the benefit of your internal systems, the reverse proxy
grabs web pages from your internal machine for the benefit of the
rest of the net. The NAT gateway will rewrite one out of the
sender or recipient addresses of any packets addressed to it,
whereas the proxy will effectively rewrite both the sender and
recipient addresses, solving the problem detailed above.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks
Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614 Bucks., SL7 1TH UK
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
Re: natd port forwarding acting wierd
Thanks for your answer and solutions Matthew :)
This is my 4th day of using freeBSD and I'm still very new to it.
I have used RedHat prior to this and when I could not get it to connect
to my ISP via the cable modem I installed freeBSD. ;)
Actually.. I don't fully understand the rc.firewall script, so I made my
own very simple one :)
I will try to implement the reverse proxy solution you wrote about as
this will probably be easiest for me.
Thanks again for your help and very thorough explination. I understand
what's happening now ;)
Re's and Cheers!
WillyB
Matthew Seaman wrote:
On Thu, Jan 16, 2003 at 01:49:08AM -0700, WillyB wrote:
I finally got natd and ipforwading set up but have a slight problem I
don't understand.
The IP forwarding works from the internet, through the cable modem and
through the freeBSD router I set up for my internal network, to a www
server on the private lan.
I can't connect to my server however from my local net using the ip of
the external net.
If you're following the way natd is setup in /etc/rc.firewall, viz
this chunk of code:
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n ${natd_interface} ]; then
${fwcmd} add 50 divert natd all from any to any via ${natd_interface}
fi
;;
esac
esac
notice that the rule to divert packets into natd only selects packets
that traverse the external interface (${natd_interface} in
/etc/rc.conf) of your gateway machine. Packets from your internal
(192.168.0.0/24) network will not pass through that interface even if
they are destined for your nat'ed address, so they won't hit the
divert rule and they won't get nat'ed.
Now, you might think that the obvious answer is just to drop the 'via
${natd_interface}' part of the divert rule, so that all packets
passing across your gateway machine pass through nat'ing.
Unfortunately, this will fail to work --- apart from the fact that it
will probably screw things up by trying to nat packets going via the
loopback interface and all sorts of other unintended consequences,
your original aim of being able to access your internal server as if
you were coming from outside your net still won't work.
What happens is this:
You send a packet to the NAT address on your gateway.
The modified firewall rules pass the packet through the divert socket
to natd, which rewrites the destination address to be that of your
internal server. Nb. the *source* address in the packet is left
untouched.
The packet is then sent across your internal network to your server.
The server deals with it as normal, and generates a response packet
back to the *original sender*, with it's own address as the source.
That happens to be to a machine on the local network, so the response
packet gets delivered straight there. Normally, the response packet
would be to a remote network and the packet would have to pass through
your gateway to get there, thus giving the natd machinery the chance
to process it, and replace the sender address with the nat address.
Now, the original machine is expecting to have a tcp conversation with
a machine using your nat address. Unfortunately the packets it
receives in response appear to come from some machine on your local
net. In order to preserve sanity it ignores those packets and keeps
listening out for the expected response from the place it sent the
packets to. Eventually it all times out and everybody gives up in
disgust.
There are two possible solutions to this problem.
i) Split Horizon. Usually implemented in terms of DNS, but you
can fudge the issue using /etc/hosts on your internal machines if
that's easier for you. All this does is arrange things so that a
lookup for www.mysite.com returns the address of the server on the
internal network when looked up from inside, and the address of
the nat gateway when looked up from outside.
ii) Reverse Proxy. Instead of accessing your internal server via
a NAT gateway, set up a web proxy on your gateway machine. Unlike
a normal web proxy, instead of grabbing web pages from out on the
net for the benefit of your internal systems, the reverse proxy
grabs web pages from your internal machine for the benefit of the
rest of the net. The NAT gateway will rewrite one out of the
sender or recipient addresses of any packets addressed to it,
whereas the proxy will effectively rewrite both the sender and
recipient addresses, solving the problem detailed above.
Cheers,
Matthew
--
Your favorite stores, helpful shopping tools and great gift ideas.
Experience the convenience of buying online with Shop@Netscape!
http://shopnow.netscape.com/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with unsubscribe freebsd-questions in the body of the message
RE: mac os x 10.2.3 jaguar and port forwarding?
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Ralph Freibeuter Sent: Monday, December 30, 2002 04:27 PM To: [EMAIL PROTECTED] Subject: mac os x 10.2.3 jaguar and port forwarding? Ho can I exactly define a rule (and where?) that forwards incoming requests to port 445 (samba?) to an internal machine with lan ip 192.168.2.50 ? The routing Macs IP is 192.168.2.1 and the external IP is given by ISP via pppoe. Please help me. I've already tried: sudo natd -redirect_port tcp 192.168.2.50:445 445 I am assuming that there are several ways of doing this. I am blindly assuming that you are doing this on the FreeBSD box. I was using regular ppp to forward all incomming traffic on port 6112 to a specific box inside the 192.168.0.2 range using the following. This was required to play on battle.net with one specific Windows machine on my private network. I added the following three lines to /etc/rc.conf natd_enable=YES natd_interface=tun0 natd_flags=-f /etc/natd.conf Then within /etc/natd.conf I have: dynamic yes use_sockets yes same_ports yes unregistered_only redirect_port udp 192.168.0.2:6112 6112 And the result that I obtain looks like this alpha# ps auxw | grep natd root 160 0.0 0.1 436 32 ?? Is 21Dec02 0:19.62 /sbin/natd -f /etc/natd.conf -n tun0 But all I get are messages about errors and addresses that already have been given. Please help Lemme know if this was any help. Regards, Ralph To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: mac os x 10.2.3 jaguar and port forwarding?
Ralph Freibeuter wrote: Ho can I exactly define a rule (and where?) that forwards incoming requests to port 445 (samba?) to an internal machine with lan ip 192.168.2.50 ? The routing Macs IP is 192.168.2.1 and the external IP is given by ISP via pppoe. As someone else mentioned Darwin (aka MacOS X) isn't FreeBSD, but the two are similar enough. If you're attempting to do filesharing over the network, be aware that just dealing with 445 isn't nearly enough; you should look into doing a VPN, rather than NAT. -Chuck To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
mac os x 10.2.3 jaguar and port forwarding?
Ho can I exactly define a rule (and where?) that forwards incoming requests to port 445 (samba?) to an internal machine with lan ip 192.168.2.50 ? The routing Macs IP is 192.168.2.1 and the external IP is given by ISP via pppoe. Please help me. I've already tried: sudo natd -redirect_port tcp 192.168.2.50:445 445 But all I get are messages about errors and addresses that already have been given. Please help Regards, Ralph To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: mac os x 10.2.3 jaguar and port forwarding?
Thus spake Ralph Freibeuter [EMAIL PROTECTED]: Ho can I exactly define a rule (and where?) that forwards incoming requests to port 445 (samba?) to an internal machine with lan ip 192.168.2.50 ? The routing Macs IP is 192.168.2.1 and the external IP is given by ISP via pppoe. Please help me. I've already tried: sudo natd -redirect_port tcp 192.168.2.50:445 445 But all I get are messages about errors and addresses that already have been given. This isn't an OS X list, but... have you tried killing any existing natd instances before you try the command above? I just use natd_flags in rc.conf to specify the -redirect_port options, and it works fine. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: port forwarding
What is the easiest way of forwarding a port in FreeBSD. Suppose I want my server to listen on port 8280, but want all connection attempts to port 80 to be forwarded to this port ... can that be done? Put this in /etc/ipnat.rules rdr dc0 0/0 port 80 - 127.0.0.1 port 8280 tcp And this in /etc/rc.conf ipfilter_enable=YES ipnat_enable=YES ipmon_enable=YES ipfs_enable=YES I am using similar configuration for squid. But remember to check the documentation first. Here is a great article http://www.defcon1.org/~ghostrdr/FreeBSD-STABLE_and_IPFILTER.html To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
port forwarding
Hi all, What is the easiest way of forwarding a port in FreeBSD. Suppose I want my server to listen on port 8280, but want all connection attempts to port 80 to be forwarded to this port ... can that be done? Thanks, Shv To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: port forwarding
On Thu, 21 Nov 2002, Shvetima Gulati wrote: Hi all, What is the easiest way of forwarding a port in FreeBSD. Suppose I want my server to listen on port 8280, but want all connection attempts to port 80 to be forwarded to this port ... can that be done? Thanks, Shv Yes, with IPFilter. In particular, you want to look at the ipnat part of IPFilter, and the rdr (redirect) keyword. Be sure to redirect to the loopback interface (lo0). man ipf man 5 ipf man ipnat man 5 ipnat Marco Radzinschi E-Mail: [EMAIL PROTECTED] Thu Nov 21 22:56:35 EST 2002 To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: port forwarding
Hiho. On Thu, 21 Nov 2002 18:48:03 -0800 (PST) Shvetima Gulati [EMAIL PROTECTED] wrote: What is the easiest way of forwarding a port in FreeBSD. Suppose I want my server to listen on port 8280, but want all connection attempts to port 80 to be forwarded to this port ... can that be done? Install rinetd from the ports. In the rinetd.conf you will type: your_IP 80 your_IP 8280 or 0.0.0.0 80 your_IP_in_a_jail 8280 asg To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
port forwarding/natd...multiple IPs
Hello, I got port forwarding to work with one IP, but lets say I have several IP's: natd -n fxp0 -redirect_port 192.168.1.1:25 50 - this works as it connects me to my smtp server if I go to port 50. But as soon as I have several IP's: 192.168.1.1 192.168.1.11 192.168.1.12 192.168.1.13 etc. That port forwards only if I connect to 192.168.1.1:50 but connecting to any alias IP it won't do a port forward. -- Be security conscious -- National defense is at stake. ---FreeBSD The Power To Serve--- To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
port forwarding with ppp natd
Hi all, I have been through all the documentation I can find, and I still haven't found a definitive answer to my question about port forwarding with a ppp connection. I have a DSL that uses PPPOE, so the system is connected using PPP. I need to forward ports from the server to internal systems (natd ips). PPP filters don't seem to be able to port forward, e.g. redirect 192.168.1.5:9090 9090 (natd rule). From what I have seen, it looks like natd can be used to nat a ppp connection. I am currently using the -nat connection with PPP. When I try natd with a -n tun0, the internal client dont have a connection. When I try natd with -n xl0, I get an error about the card can't be used. I understand why I get these errors, so I wondering how to get natd to work with ppp. Or if its even possible to use ppp filters or ipfw to accomplish the goal of forwarding packets from a specific external port to an internal machine. Thanks Casey To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Confusing problem with SSH port forwarding.
Hi all - I've been tearing my hair out for an hour now trying to figure this out and I'm completely stumped. Didn't see anything in the archives which hopefully means I'm just doing somethign stupid, but I don't see it. Here's the environment: win2k_client \ server1 --- hub -- firewall -- internet -- server3 / server2 - server1 and server3 are running web servers. firewall is also running natd. If on server2 I do ssh -l user -g -N -v -L :server1:80 localhost then from win2k_client I can go to http://server2: in IE and it works like I'd expect it to. That is, I get the home page of server1. If on server2 I do ssh -l user -g -N -v -L :server3:80 localhost then... - from win2k_client IE just sits and sits and sits -- and no entries are generated in server3's log files. - from win2k_client I can do Start-Run-telnet server2 followed by GET / HTTP/1.0 and I *do* get the home page of server3. - from server2 I can also telnet to port and get a connection, but fetch fails with fetch: -: Undefined error: 0 What I don't understand is that obviously the tunnel is setup and running since it is possible to use it, but why can't IE or fetch connect? I don't think it's a webserver issue because both servers are configured to respond to any IP address they know about. And changing port to port 80 doesn't make a difference in the results. SSH Version is: OpenSSH_2.9 FreeBSD localisations 20020307, SSH protocols 1.5/2.0, OpenSSL 0x0090601f Do I need to upgrade all the ssh servers to the latest? Doesn't seem like it since it *is* working. I'm having the same problem when trying to use SecureCRT or Putty to do the forwarding directly from win2k_client. IE won't work, but telnet'ing directly will. Anyway, I'm stumped.. anyone got any ideas? To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
