Re: Port forwarding behind two routers
On Wed, 19 Nov 2008, Jakub T wrote: 2008/11/15 Luke Dean <[EMAIL PROTECTED]> Port-forwarding through two NATs is something I've never had any success with. I have a few suggestions that have worked for me and my friends with this setup. A) Disable NAT on the ADSL router. I think the term is "bridged mode". Turn it into a dumb box and shift all the NAT/firewall/routing responsibilities over to your wireless router. Depending on your ISP, the hardware, and the protocols involved, this may not be an option for you. B) Disable NAT on the wireless router. This allows it to be a simple switch and wireless access point. The price is that you're probably relying on the DHCP server in the wireless router for your wireless devices and you'll have to disable the DHCP when you disable NAT. This creates new problems to be solved. C) Plug the FreeBSD box into the ADSL router, skipping the wireless router. Your wireless devices will still be double-NATted, but if you're not running servers on them, you might be able to live with that. Luke, Thank you very much, your advices were very helpful and I now have a working port forwarding through two routers. Sorry for the delay in the answering, it took me some time to test various options... Actually your (A) advice is what did the job. I turned off DHCP server on ADSL router and enabled "NAT - DMZ Host" option on it (for which I realized that it was the closest to your description of "bridged mode"). Then I configured the wireless router to use static IP config instead of expecting DHCP server. The situation is now this: INTERNET | telephone/adsl-wire | | ADSL router wan : xx.xx.xx.xx FreeBSD box (wired) lan : 192.168.1.1 ip: 192.168.0.102 | laptopgateway: 192.168.0.1 | (wireless)| [internet plug]ip: 192.168.0.101 | Wireless router gateway: 192.168.0.1 | wan : 192.168.1.2:| lan : 192.168.0.1 . . . . . :| [ethernet plug] | | | +---+ DMZ host for ADSL router is 192.168.1.2 -- and it works! I have one question more (forgive my ignorance): now the wireless router is configured to use static IP config and I must provide one or more "Static DNS servers" to it. Is it ok to type just "192.168.1.1" as DNS (which works for now) or to copy DNS servers which are automatically provided to the ADSL router by the ISP? Your solution is a little different from what I was suggesting, but it might be a better solution in some ways. If 192.168.1.1 really works as a source of DNS, I would take that to mean that your ADSL router is passing your name requests along to the nameservers that the ISP provided it. That's good. If your ISP ever moves its nameservers, it will tell your ADSL box about it, and the changes should propogate. If you hardcoded your DNS addresses into your wireless router, you would have to change them by hand if a change was ever required. I believe your wireless router is now responsible for being the firewall for your network, so make sure you've set that up. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Port forwarding behind two routers
2008/11/15 Luke Dean <[EMAIL PROTECTED]> > > Port-forwarding through two NATs is something I've never had any success > with. I have a few suggestions that have worked for me and my friends with > this setup. > > A) Disable NAT on the ADSL router. I think the term is "bridged mode". > Turn it into a dumb box and shift all the NAT/firewall/routing > responsibilities over to your wireless router. Depending on your ISP, the > hardware, and the protocols involved, this may not be an option for you. > > B) Disable NAT on the wireless router. This allows it to be a simple > switch and wireless access point. The price is that you're probably relying > on the DHCP server in the wireless router for your wireless devices and > you'll have to disable the DHCP when you disable NAT. This creates new > problems to be solved. > > C) Plug the FreeBSD box into the ADSL router, skipping the wireless router. > Your wireless devices will still be double-NATted, but if you're not > running servers on them, you might be able to live with that. > > Luke, Thank you very much, your advices were very helpful and I now have a working port forwarding through two routers. Sorry for the delay in the answering, it took me some time to test various options... Actually your (A) advice is what did the job. I turned off DHCP server on ADSL router and enabled "NAT - DMZ Host" option on it (for which I realized that it was the closest to your description of "bridged mode"). Then I configured the wireless router to use static IP config instead of expecting DHCP server. The situation is now this: INTERNET | telephone/adsl-wire | | ADSL router wan : xx.xx.xx.xx FreeBSD box (wired) lan : 192.168.1.1 ip: 192.168.0.102 | laptopgateway: 192.168.0.1 | (wireless)| [internet plug]ip: 192.168.0.101 | Wireless router gateway: 192.168.0.1 | wan : 192.168.1.2:| lan : 192.168.0.1 . . . . . :| [ethernet plug] | | | +---+ DMZ host for ADSL router is 192.168.1.2 -- and it works! I have one question more (forgive my ignorance): now the wireless router is configured to use static IP config and I must provide one or more "Static DNS servers" to it. Is it ok to type just "192.168.1.1" as DNS (which works for now) or to copy DNS servers which are automatically provided to the ADSL router by the ISP? Once again, thank you. Jakub ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Port forwarding behind two routers
B) Disable NAT on the wireless router. This allows it to be a simple switch and wireless access point. The price is that you're probably relying on the DHCP server in the wireless router for your wireless devices and you'll have to disable the DHCP when you disable NAT. This creates new problems to be solved. no problem. ADSL router can do DHCP for everything. C) Plug the FreeBSD box into the ADSL router, skipping the wireless router. Your wireless devices will still be double-NATted, but if you're not running servers on them, you might be able to live with that. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Port forwarding behind two routers
On Sat, 15 Nov 2008, Jakub T wrote: Good day people, I'm trying to get wireless Internet access for my laptop and to use this wireless router as a switch for my FreeBSD box at the same time. This wireless router has one Internet plug and for Ethernet plugs for wired boxes. Now I have this situation: INTERNET | telephone/adsl-wire | | ADSL router wan : xx.xx.xx.xx FreeBSD box (wired) lan : 192.168.1.1 ip: 192.168.0.102 | laptopgateway: 192.168.0.1 | (wireless)| [internet plug]ip: 192.168.0.101 | Wireless router gateway: 192.168.0.1 | lan : 192.168.0.1 . . . . . :| [ethernet plug] | | | +---+ The wireless router software configured the router like this: Destination LAN IP Subnet Mask GatewayInterface 0.0.0.0 0.0.0.0 192.168.1.1 WAN (Internet) 192.168.0.0 255.255.255.0 192.168.0.1 LAN & Wireless 192.168.1.0 255.255.255.0 192.168.1.2 WAN (Internet) ... so it works as a switch for two boxes and as a router at the same time. The FreeBSD box is configured like this: ifconfig_XXX0="inet 192.168.0.102 netmask 255.255.255.0" defaultrouter="192.168.0.1" Now I have Internet connection on both computers. However, I can't get aMule and other apps that need port forwarding working on FreeBSD box. First, I tried to configure ADSL router (192.168.1.1) just to forward 4662 port to 192.168.0.102, doesn't work. Then, I tried this: 192.168.1.1 router: forward 4662 to 192.168.0.1 192.168.0.1 router: forward 4662 to 192.168.0.102 not working again. I have a feeling that I'm missing something very simple, but can't figure out what. (A note: before I acquired a wireless router, forwarding with one router was just working, with FreeBSD box configured as 192.168.1.101, so that side of things is ok. And, no, it's not possible to use just wireless router because I can't plug telephone wire in it.) Can anyone help me? Should I post more details? TIA, Jakub Port-forwarding through two NATs is something I've never had any success with. I have a few suggestions that have worked for me and my friends with this setup. A) Disable NAT on the ADSL router. I think the term is "bridged mode". Turn it into a dumb box and shift all the NAT/firewall/routing responsibilities over to your wireless router. Depending on your ISP, the hardware, and the protocols involved, this may not be an option for you. B) Disable NAT on the wireless router. This allows it to be a simple switch and wireless access point. The price is that you're probably relying on the DHCP server in the wireless router for your wireless devices and you'll have to disable the DHCP when you disable NAT. This creates new problems to be solved. C) Plug the FreeBSD box into the ADSL router, skipping the wireless router. Your wireless devices will still be double-NATted, but if you're not running servers on them, you might be able to live with that. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Port forwarding.
Ah, thanks a lot! It finally works! *Does a happy dance* All the other guides to ipfilter / ipnat only listed changes to ONE of the files (either ipf.rules or ipnat.rules), and never mentioned putting the changes before mapping, even though they did cover that topic. On 1/24/06, Igor Robul <[EMAIL PROTECTED]> wrote: > On Tue, Jan 24, 2006 at 06:41:27AM +0100, Daniel A. wrote: > > sis0: flags=8843 mtu 1500 > > options=8 > > inet6 fe80::20a:e6ff:fe53:fc1e%sis0 prefixlen 64 scopeid 0x2 > > inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 > > ether 00:0a:e6:53:fc:1e > > media: Ethernet autoselect (100baseTX ) > > status: active > > rl0: flags=8843 mtu 1500 > > options=8 > > inet6 fe80::2b0:2ff:fe00:27f3%rl0 prefixlen 64 scopeid 0x3 > > inet 87.50.69.60 netmask 0xff80 broadcast 87.50.69.127 > > ether 00:b0:02:00:27:f3 > > media: Ethernet autoselect (100baseTX ) > > status: active > > > > I have been googling and reading ifconfig papers all day yesterday, in > > the search for how to do simple port-forwarding, but nothing have > > worked. > > So, this is my final resort: How would I forward the ports 9541 (TCP) > > and 9542 (UDP) to 192.168.0.2 on my LAN? > /etc/ipnat.conf: > rdr rl0 0/0 port 9541 -> 192.168.0.2 port 9541 tcp > rdr rl0 0/0 port 9542 -> 192.168.0.2 port 9542 udp > > somewhere on top of file (before "map"). > > Also you need something like this in your /etc/ipf.rules: > > pass in quick on rl0 proto tcp from any to 192.168.0.2/32 port = 9541 keep > state > pass in quick on rl0 proto udp from any to 192.168.0.2/32 port = 9542 keep > state > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Port forwarding.
On Tue, Jan 24, 2006 at 06:41:27AM +0100, Daniel A. wrote: > sis0: flags=8843 mtu 1500 > options=8 > inet6 fe80::20a:e6ff:fe53:fc1e%sis0 prefixlen 64 scopeid 0x2 > inet 192.168.0.1 netmask 0xff00 broadcast 192.168.0.255 > ether 00:0a:e6:53:fc:1e > media: Ethernet autoselect (100baseTX ) > status: active > rl0: flags=8843 mtu 1500 > options=8 > inet6 fe80::2b0:2ff:fe00:27f3%rl0 prefixlen 64 scopeid 0x3 > inet 87.50.69.60 netmask 0xff80 broadcast 87.50.69.127 > ether 00:b0:02:00:27:f3 > media: Ethernet autoselect (100baseTX ) > status: active > > I have been googling and reading ifconfig papers all day yesterday, in > the search for how to do simple port-forwarding, but nothing have > worked. > So, this is my final resort: How would I forward the ports 9541 (TCP) > and 9542 (UDP) to 192.168.0.2 on my LAN? /etc/ipnat.conf: rdr rl0 0/0 port 9541 -> 192.168.0.2 port 9541 tcp rdr rl0 0/0 port 9542 -> 192.168.0.2 port 9542 udp somewhere on top of file (before "map"). Also you need something like this in your /etc/ipf.rules: pass in quick on rl0 proto tcp from any to 192.168.0.2/32 port = 9541 keep state pass in quick on rl0 proto udp from any to 192.168.0.2/32 port = 9542 keep state ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: port forwarding and IP-less firewall
hello again list! my firewall is setup in freebsd 4.5 and had not implemented nat. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: port forwarding and ip-less firewall
On Wed, Feb 25, 2004 at 05:19:35PM +0800, Edison Cala wrote: > hello list! > > i want to ask some help on port forwarding in a bridge-firewall > network. > > our network setup is: > > 1. the router is outside the firewall, direct to the internet. > 2. the bridge-firewall computer (2 ethernet cards installed, eth0 - > outside (router), eth1 - protected network) is between the router and > the protected network. > > all the servers are behind the firewall and only opened the allowed > ports. i have 2 mail servers (unit1.domain.com and unit2.domain.com) > running on the protected network, unit1.domain.com is just an smtp > relay for unit2.domain.com and its working fine. however, i want to > put a rule (port forward) in firewall to forward request destined to > unit2.domain.com (port 25), but that request should be first passed to > unit1.domain.com (for antispam processing) before unit2. unit1 should > then be the one to forward the request to unit2.domain.com. > > why i want to do this is that, some mails are getting through and > received at unit2 without passing to unit1. in mx, unit1 is the 1st > prio and unit2 is 2nd prio only. > > please help and give an idea on port forwarding rules between two > servers within the protected network. > > thank you! > > edison cala I think this would normally be handled using a 'fwd' rule (man ipfw), but the manpage specifically states: "A fwd rule will not match layer-2 packets (those received on ether_input, ether_output, or bridged)." So, I'm not sure how you could implement this when using ipfw on a bridged interface. Nathan -- gpg --keyserver pgp.mit.edu --recv-keys D8527E49 pgp0.pgp Description: PGP signature
RE: port forwarding and ip-less firewall
Really hard to help you when you do not post what firewall you are using and the nat rules you are using. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Edison Cala Sent: Wednesday, February 25, 2004 4:20 AM To: [EMAIL PROTECTED] Subject: port forwarding and ip-less firewall hello list! i want to ask some help on port forwarding in a bridge-firewall network. our network setup is: 1. the router is outside the firewall, direct to the internet. 2. the bridge-firewall computer (2 ethernet cards installed, eth0 - outside (router), eth1 - protected network) is between the router and the protected network. all the servers are behind the firewall and only opened the allowed ports. i have 2 mail servers (unit1.domain.com and unit2.domain.com) running on the protected network, unit1.domain.com is just an smtp relay for unit2.domain.com and its working fine. however, i want to put a rule (port forward) in firewall to forward request destined to unit2.domain.com (port 25), but that request should be first passed to unit1.domain.com (for antispam processing) before unit2. unit1 should then be the one to forward the request to unit2.domain.com. why i want to do this is that, some mails are getting through and received at unit2 without passing to unit1. in mx, unit1 is the 1st prio and unit2 is 2nd prio only. please help and give an idea on port forwarding rules between two servers within the protected network. thank you! edison cala ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]" ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Port Forwarding
If the variables for the 'SIMPLE' rules are setup properly, 'SIMPLE' should be no different than using 'OPEN' from your win2k's perspective. This is assuming you don't have a broken rc.firewall file. Looking at your original post, your sample was missing the 'onet' variable. # set these to your outside interface network and netmask and ip oif="rl0" onet="???.???.???.???" omask="255.255.255.0" <-- make sure this is right!!! oip="me" # set these to your inside interface network and netmask and ip iif="rl1" inet="192.168.0.1" imask="255.255.255.0" iip="192.168.0.1" Also, you shouldn't be using IPFIREWALL_DEFAULT_TO_ACCEPT in your kernel configuration. I use: options IPFIREWALL options IPFIREWALL_VERBOSE options IPDIVERT Also see IPFIREWALL_VERBOSE_LIMIT in the firewall section of the Handbook. IPFIREWALL_VERBOSE allows you to get helpfull information in /var/log/security. If you are having troubles with connectivity, look in /var/log/security to see if it shows what's being blocked and by what rule. Hope this helps. James On Thu, 2004-01-22 at 04:54, Rishi Chopra wrote: > James, > > I've configured my Win2k box to contact DNS directly, and both Direct > Connect and VNC Server are running smoothly (port forwarding is being > accomplished (per your suggestion) by natd.conf). > > I've set the firewall type to 'OPEN' (the Win2k client has ZoneAlarm > protection of its own); this is truly the only sticking point. I'm > under the impression that selecting 'SIMPLE' rather than 'OPEN' provides > an additional layer of protection to the gateway by preventing certain > spoofing attacks. Unfortunately, I seem unable to switch the firewall > type without crippling my Win2k box's functionality. Perhaps I'll give > it a go again sometime in the future. > > > Here's a copy of the relevant files: > > //natd.conf > > unregistered_only > interface rl0 > use_sockets > dynamic > redirect_port tcp 192.168.0.2:5800 5800 > redirect_port tcp 192.168.0.2:5900 5900 > redirect_port tcp 192.168.0.2:412 412 > redirect_port tcp 192.168.0.2:1412 1412 > punch_fw 2000:50 > > //rc.conf > > gateway_enable="YES" > hostname="usha.dyndns.org" > ifconfig_rl0="DHCP" > ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0" > kern_securelevel_enable="NO" > firewall_enable="YES" > firewall_type="OPEN" > # firewall_type="SIMPLE" > firewall_quiet="NO" > natd_enable="YES" > natd_interface="rl0" > natd_flags="-f /etc/natd.conf" > linux_enable="YES" > sendmail_enable="NO" > sshd_enable="YES" > > -R ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Port Forwarding
James, I've configured my Win2k box to contact DNS directly, and both Direct Connect and VNC Server are running smoothly (port forwarding is being accomplished (per your suggestion) by natd.conf). I've set the firewall type to 'OPEN' (the Win2k client has ZoneAlarm protection of its own); this is truly the only sticking point. I'm under the impression that selecting 'SIMPLE' rather than 'OPEN' provides an additional layer of protection to the gateway by preventing certain spoofing attacks. Unfortunately, I seem unable to switch the firewall type without crippling my Win2k box's functionality. Perhaps I'll give it a go again sometime in the future. Here's a copy of the relevant files: //natd.conf unregistered_only interface rl0 use_sockets dynamic redirect_port tcp 192.168.0.2:5800 5800 redirect_port tcp 192.168.0.2:5900 5900 redirect_port tcp 192.168.0.2:412 412 redirect_port tcp 192.168.0.2:1412 1412 punch_fw 2000:50 //rc.conf gateway_enable="YES" hostname="usha.dyndns.org" ifconfig_rl0="DHCP" ifconfig_rl1="inet 192.168.0.1 netmask 255.255.255.0" kern_securelevel_enable="NO" firewall_enable="YES" firewall_type="OPEN" # firewall_type="SIMPLE" firewall_quiet="NO" natd_enable="YES" natd_interface="rl0" natd_flags="-f /etc/natd.conf" linux_enable="YES" sendmail_enable="NO" sshd_enable="YES" -R James Earl wrote: If you want your gateway to forward DNS queries from your private network, you will probably have to run named to answer the DNS queries and forward them out to your ISP's name servers. You may also want to run a DHCP server. I don't believe ipfw has the forwarding capability your looking for in this case. You may want to get the DNS setup first, and then enable ipfw once you know that named is setup properly. As for the firewall rules, you'd probably just have to modify slightly the DNS related ones that already exist under "SIMPLE." Instead of letting DNS queries in from the outside, you want to let DNS queries in from the "inside." Let me know if you have any other questions, and I'll try to help. James On Mon, 2004-01-19 at 21:06, Rishi Chopra wrote: If I want the gateway to forward DNS queries (e.g. have the win2k box query the gateway for DNS requests) what do I need to do? What would the rule look like? James Earl wrote: On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: What I want to do: (1) Change firewall type from 'OPEN' to 'SIMPLE' and (2) Forward ports 412 and 5800 to my Win2k box. What I have: The setup is pictured below. IPFIREWALL_DEFAULT_TO_ACCEPT, IPDIVERT and IPFILTER are all enabled in my kernel config file, are also enabled. Rule-of-thumb advice about "how best to secure a network" is not necessary in this case (the Win2k box has its own firewall installed (ZoneAlarm) and I already know too much about security). ISP FreeBSD GatewayWin2k Box --rl0--rl1---< ALLDHCP 192.168.0.1 192.168.0.2 The problem: When I chenge the firewall type to SIMPLE from OPEN, the Win2k box can no longer query DNS and pings to the 192.168.0.1 address do not work. With the firewall type set to OPEN, there are no problems whatsoever. I am also new to the IPFW syntax. What I would like to know is: (1) the syntax for forwarding incomming connections from rl0 to rl1 (and ultimately to 192.168.0.2) and (2) whether the syntax for allowing connections to the outside network (such as DNS) is correct and if some other problem is preventing the win2k box from querying DNS when SIMPLE is enabled. The FreeBSD Handbook can describe port redirection using NAT better than I can: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html With the SIMPLE firewall rules, all your machines on your LAN should be able to establish connections. Make sure that you have your ISP's DNS servers IP's specified on the win2k machine, and also that your FreeBSD machines IP is setup as the default gateway in win2k. You shouldn't be able to ping the FreeBSD gateway from the win2k machine because of the FreeBSD gateway's firewall. Anther test... try accessing a machine out on the Internet using it's ip address and see if you get out. James ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Port Forwarding
If you want your gateway to forward DNS queries from your private network, you will probably have to run named to answer the DNS queries and forward them out to your ISP's name servers. You may also want to run a DHCP server. I don't believe ipfw has the forwarding capability your looking for in this case. You may want to get the DNS setup first, and then enable ipfw once you know that named is setup properly. As for the firewall rules, you'd probably just have to modify slightly the DNS related ones that already exist under "SIMPLE." Instead of letting DNS queries in from the outside, you want to let DNS queries in from the "inside." Let me know if you have any other questions, and I'll try to help. James On Mon, 2004-01-19 at 21:06, Rishi Chopra wrote: > If I want the gateway to forward DNS queries (e.g. have the win2k box > query the gateway for DNS requests) what do I need to do? What would > the rule look like? > > James Earl wrote: > > > On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: > > > >>What I want to do: (1) Change firewall type from 'OPEN' to 'SIMPLE' and > >>(2) Forward ports 412 and 5800 to my Win2k box. > >> > >>What I have: The setup is pictured below. > >>IPFIREWALL_DEFAULT_TO_ACCEPT, IPDIVERT and IPFILTER are all enabled in > >>my kernel config file, are also enabled. Rule-of-thumb advice about > >>"how best to secure a network" is not necessary in this case (the Win2k > >>box has its own firewall installed (ZoneAlarm) and I already know too > >>much about security). > >> > >>ISP FreeBSD GatewayWin2k Box > >> > >> > >>>--rl0--rl1---< > >> > >>ALLDHCP 192.168.0.1 192.168.0.2 > >> > >>The problem: When I chenge the firewall type to SIMPLE from OPEN, the > >>Win2k box can no longer query DNS and pings to the 192.168.0.1 address > >>do not work. With the firewall type set to OPEN, there are no problems > >>whatsoever. I am also new to the IPFW syntax. > >> > >>What I would like to know is: (1) the syntax for forwarding incomming > >>connections from rl0 to rl1 (and ultimately to 192.168.0.2) and (2) > >>whether the syntax for allowing connections to the outside network (such > >>as DNS) is correct and if some other problem is preventing the win2k box > >>from querying DNS when SIMPLE is enabled. > > > > > > The FreeBSD Handbook can describe port redirection using NAT better than > > I can: > > > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html > > > > With the SIMPLE firewall rules, all your machines on your LAN should be > > able to establish connections. Make sure that you have your ISP's DNS > > servers IP's specified on the win2k machine, and also that your FreeBSD > > machines IP is setup as the default gateway in win2k. > > > > You shouldn't be able to ping the FreeBSD gateway from the win2k machine > > because of the FreeBSD gateway's firewall. > > > > Anther test... try accessing a machine out on the Internet using it's ip > > address and see if you get out. > > > > James > > > > > > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Port Forwarding
On Mon, 2004-01-19 at 21:04, Rishi Chopra wrote: > No, those are the values in the file. I had posted a previous question > to the list asking what the right values should be (my rl0 interface is > configured via DHCP) - any ideas what I should put in this section? > > James Earl wrote: > > > On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: > > > >>Here's the rc.firewall file, with comments trimmed for formatting: > >> > >>[Ss][Ii][Mm][Pp][Ll][Ee]) > >> > >> > >> # set these to your outside interface network and netmask and ip > >> oif="rl0" > >> omask="255.255.255.0" > >> oip="me" > > > > > > I'm assuming these aren't the real values you have in your actual > > rc.firewall. > > Maybe I shouldn't have been surprised to see 255.255.255.0 as your ISP's subnet mask... I'm not sure. I'm definitely not an expert. Is that in fact your ISP's subnet mask? James ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Port Forwarding
No, those are the values in the file. I had posted a previous question to the list asking what the right values should be (my rl0 interface is configured via DHCP) - any ideas what I should put in this section? James Earl wrote: On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: Here's the rc.firewall file, with comments trimmed for formatting: [Ss][Ii][Mm][Pp][Ll][Ee]) # set these to your outside interface network and netmask and ip oif="rl0" omask="255.255.255.0" oip="me" I'm assuming these aren't the real values you have in your actual rc.firewall. James -- Rishi Chopra http://www.ocf.berkeley.edu/~rchopra ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Port Forwarding
On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: > Here's the rc.firewall file, with comments trimmed for formatting: > > [Ss][Ii][Mm][Pp][Ll][Ee]) > > > # set these to your outside interface network and netmask and ip > oif="rl0" > omask="255.255.255.0" > oip="me" I'm assuming these aren't the real values you have in your actual rc.firewall. James ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Port Forwarding
On Mon, 2004-01-19 at 13:58, Rishi Chopra wrote: > What I want to do: (1) Change firewall type from 'OPEN' to 'SIMPLE' and > (2) Forward ports 412 and 5800 to my Win2k box. > > What I have: The setup is pictured below. > IPFIREWALL_DEFAULT_TO_ACCEPT, IPDIVERT and IPFILTER are all enabled in > my kernel config file, are also enabled. Rule-of-thumb advice about > "how best to secure a network" is not necessary in this case (the Win2k > box has its own firewall installed (ZoneAlarm) and I already know too > much about security). > > ISP FreeBSD GatewayWin2k Box > > >--rl0--rl1---< > ALLDHCP 192.168.0.1 192.168.0.2 > > The problem: When I chenge the firewall type to SIMPLE from OPEN, the > Win2k box can no longer query DNS and pings to the 192.168.0.1 address > do not work. With the firewall type set to OPEN, there are no problems > whatsoever. I am also new to the IPFW syntax. > > What I would like to know is: (1) the syntax for forwarding incomming > connections from rl0 to rl1 (and ultimately to 192.168.0.2) and (2) > whether the syntax for allowing connections to the outside network (such > as DNS) is correct and if some other problem is preventing the win2k box > from querying DNS when SIMPLE is enabled. The FreeBSD Handbook can describe port redirection using NAT better than I can: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-natd.html With the SIMPLE firewall rules, all your machines on your LAN should be able to establish connections. Make sure that you have your ISP's DNS servers IP's specified on the win2k machine, and also that your FreeBSD machines IP is setup as the default gateway in win2k. You shouldn't be able to ping the FreeBSD gateway from the win2k machine because of the FreeBSD gateway's firewall. Anther test... try accessing a machine out on the Internet using it's ip address and see if you get out. James ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
RE: Port forwarding
36551 hydra.5121 > 192.168.17.25.5120: udp 19
21:06:29.737477 192.168.17.25.5120 > hydra.5121: udp 6
21:06:29.737530 192.168.17.25.5120 > hydra.5121: udp 11
21:06:29.741486 192.168.17.25.5120 > hydra.5121: udp 6
21:06:29.746442 63.231.238.229.ssh > 192.168.17.25.2403: P 5552:5580(28) ack
1 win 58400 (DF) [tos 0x10]
21:06:29.746720 192.168.17.25.2403 > 63.231.238.229.ssh: . ack 5580 win
65243 (DF)
21:06:29.756377 hydra.5121 > 192.168.17.25.5120: udp 25
21:06:29.756470 hydra.5121 > 192.168.17.25.5120: udp 11
21:06:29.756576 hydra.5121 > 192.168.17.25.5120: udp 25
21:06:29.761597 192.168.17.25.5120 > hydra.5121: udp 11
21:06:29.776317 hydra.5121 > 192.168.17.25.5120: udp 11
21:06:29.780531 192.168.17.25.5120 > hydra.5121: udp 11
21:06:29.796315 hydra.5121 > 192.168.17.25.5120: udp 11
21:06:29.799719 192.168.17.25.5120 > hydra.5121: udp 11
> -Original Message-
> From: Ronnie Clark [mailto:[EMAIL PROTECTED]
> Sent: Monday, January 12, 2004 9:01 PM
> To: 'Budec'; 'FreeBSD-questions list'
> Subject: RE: Port forwarding
>
>
> Jack,
>
> Well, a tcpdump trace should prove whether the traffic is pasing. Do you
> have one?
>
> Ron Clark
>
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Budec
> Sent: Monday, January 12, 2004 8:15 PM
> To: Ronnie Clark; 'Budec'; 'FreeBSD-questions list'
> Subject: RE: Port forwarding
>
>
>
>
> Thanks for the reply.
>
> I'm using the default 'rc.firewall' and in the /etc/rc.config I
> have it set
> up to use "OPEN".
> >From what I can tell, it looks like I'm passing everything by
> >default...
> here is a snip of the config (not all of the /etc/rc.firewall
> file, just the
> OPEN parts)
>
> [snip]
> case ${firewall_type} in
> [Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
> case ${natd_enable} in
> [Yy][Ee][Ss])
> if [ -n "${natd_interface}" ]; then
> ${fwcmd} add 50 divert natd all from any
> to any via
> ${natd_interface}
> fi
> ;;
> esac
> esac
>
>
>
> [snip]
> case ${firewall_type} in
> [Oo][Pp][Ee][Nn])
> # bud
> #${fwcmd} add count log tcp from any to any setup
> #${fwcmd} add count log udp from any to any keep-state
>
> # clients
> # ${fwcmd} add allow tcp from any to 192.168.17.1 5121 keep-state
> # ${fwcmd} add allow udp from any to 192.168.17.1 5121 keep-state
>
> # ${fwcmd} add allow tcp from any to 192.168.17.25 5121 keep-state
> # ${fwcmd} add allow udp from any to 192.168.17.25 5121 keep-state
>
>
> # Gamespy
> # ${fwcmd} add allow udp from 192.168.17.1 5121 to
> 216.177.89.34 27900
> keep-state
> # ${fwcmd} add allow udp from 192.168.17.1 5121 to
> 66.244.193.142 5121
> keep-state
>
> # ${fwcmd} add allow udp from 192.168.17.25 5121 to 216.177.89.34
> 27900 keep-state
> # ${fwcmd} add allow udp from 192.168.17.25 5121 to 66.244.193.142
> 5121 keep-state
>
>
>
> ${fwcmd} add 65000 pass all from any to any
> ;;
>
>
>
> 'pass all from any to any' should do it right?
>
>
> Regards,
> Jack
>
>
>
>
> > -Original Message-
> > From: Ronnie Clark [mailto:[EMAIL PROTECTED]
> > Sent: Monday, January 12, 2004 8:14 PM
> > To: 'Budec'; 'FreeBSD-questions list'
> > Subject: RE: Port forwarding
> >
> >
> > Jack,
> >
> > What do our firewall rules look like? Is there a rule to allow 5122
> > traffic into the outside interface?
> >
> > Just a thought,
> > Ron Clark
> >
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Budec
> > Sent: Monday, January 12, 2004 7:50 PM
> > To: 'FreeBSD-questions list'
> > Subject: Port forwarding
> >
> >
> >
> >
> >
> > Hello,
> >
> > I have been trying to get this working for days and am obviously doing
> > something wrong and was wondering if any Guru's out there could give a
> > little guidance. Basically I'm looking to run a game server behind a
> > FreeBSD firewall. Here is my setup:
> >
> > {internet} <-> [public address] - Firewall <-> (internal address) Game
> > server
> >
> > Lets say public address is 1.2.3.4 and private address is
> > 192.168.17.25 port is 5122
> >
> >
> > In the /etc/rc.conf I set the firewall poli
RE: Port forwarding
Thanks for the reply.
I'm using the default 'rc.firewall' and in the /etc/rc.config I have it set
up to use "OPEN".
>From what I can tell, it looks like I'm passing everything by default...
here is a snip of the config (not all of the /etc/rc.firewall file, just the
OPEN parts)
[snip]
case ${firewall_type} in
[Oo][Pp][Ee][Nn]|[Cc][Ll][Ii][Ee][Nn][Tt])
case ${natd_enable} in
[Yy][Ee][Ss])
if [ -n "${natd_interface}" ]; then
${fwcmd} add 50 divert natd all from any to any via
${natd_interface}
fi
;;
esac
esac
[snip]
case ${firewall_type} in
[Oo][Pp][Ee][Nn])
# bud
#${fwcmd} add count log tcp from any to any setup
#${fwcmd} add count log udp from any to any keep-state
# clients
# ${fwcmd} add allow tcp from any to 192.168.17.1 5121 keep-state
# ${fwcmd} add allow udp from any to 192.168.17.1 5121 keep-state
# ${fwcmd} add allow tcp from any to 192.168.17.25 5121 keep-state
# ${fwcmd} add allow udp from any to 192.168.17.25 5121 keep-state
# Gamespy
# ${fwcmd} add allow udp from 192.168.17.1 5121 to 216.177.89.34 27900
keep-state
# ${fwcmd} add allow udp from 192.168.17.1 5121 to 66.244.193.142 5121
keep-state
# ${fwcmd} add allow udp from 192.168.17.25 5121 to 216.177.89.34
27900 keep-state
# ${fwcmd} add allow udp from 192.168.17.25 5121 to 66.244.193.142
5121 keep-state
${fwcmd} add 65000 pass all from any to any
;;
'pass all from any to any' should do it right?
Regards,
Jack
> -Original Message-
> From: Ronnie Clark [mailto:[EMAIL PROTECTED]
> Sent: Monday, January 12, 2004 8:14 PM
> To: 'Budec'; 'FreeBSD-questions list'
> Subject: RE: Port forwarding
>
>
> Jack,
>
> What do our firewall rules look like? Is there a rule to allow
> 5122 traffic
> into the outside interface?
>
> Just a thought,
> Ron Clark
>
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Budec
> Sent: Monday, January 12, 2004 7:50 PM
> To: 'FreeBSD-questions list'
> Subject: Port forwarding
>
>
>
>
>
> Hello,
>
> I have been trying to get this working for days and am obviously doing
> something wrong and was wondering if any Guru's out there could give a
> little guidance. Basically I'm looking to run a game server behind a
> FreeBSD firewall. Here is my setup:
>
> {internet} <-> [public address] - Firewall <-> (internal address) Game
> server
>
> Lets say public address is 1.2.3.4 and private address is
> 192.168.17.25 port
> is 5122
>
>
> In the /etc/rc.conf I set the firewall policy to "OPEN" and
> enabled natd, I
> gave it the natd options of "-f /etc/natd.conf"... for "ipnat" I have that
> set to "NO" (not sure what it does)
>
> In the natd.conf file I have this:
>
> redirect_port tcp 192.168.17.25:5122 5122
> redirect_port udp 192.168.17.25:5122 5122
>
> I restart natd and theatrically everything that hits 1.2.3.4 on port 5122
> should be automatically redirected to 192.168.17.25 port 5122, right?
>
> I have also tried this (since the public interface is aliases
> (has more than
> one public address associated with it)):
>
> redirect_port tcp 192.168.17.25:5122 1.2.3.4:5122
> redirect_port udp 192.168.17.25:5122 1.2.3.4:5122
>
>
>
> Which doesn't seem to work either. Any ideas?
>
> Regards,
> Jack
>
>
>
> ___
> [EMAIL PROTECTED] mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
>
>
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Port Forwarding FreeBSD 4.7_Release
Matthew Ryan wrote: On Saturday, March 15, 2003, at 03:06 am, Bill Moran wrote: Matthew Ryan wrote: On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't "route out" is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? I don't fully understand the question. What exactly do you mean by "from home"? Is the mail server behind the firewall? You can port forward/reroute just about anything to anywhere, with enough time and patience. But there's not enough information in the statement you just made for anyone to help you much. sorry, i'll try to be more explicit. I have a number of services on ports forwarded from my external IP address to an internal IP address via NAT as we have discussed. The problem is that I can not access these services from inside nat. Example - My mail server address resolves to my external IP number. It's primarily a mobility issue. From inside NAT I can't collect my mail unless I specifically point my browser at the internal IP number of my mail server. Yes I can get around this with some sort of client location manager or by connecting to the internet via a route other than my LAN, but none of these options are ideal. I understand. I don't know if there is any "ideal" solution, but I'll offer a few suggestions. You may be able to run a second instance of natd that works on the internal interface and redirects traffic as you would like. This would be experimental: I have no idea if it would work and only a guess as to how to configure it. You could also put an alias IP address on the internal machine and manipulate the routing so it always goes the right place. This will probably be tricky, and each time I try to work it out in my head, I end up with a problem. But I suppose it's worth a try. (warning: you could effectively shut your network down by doing this wrong!) I am hoping for a routing solution, and I am pleased to read your comforting words: You can port forward/reroute just about anything to anywhere, with enough time and patience. Well ... sometimes it takes a LOT of time an patience ... Lowell Gilbert suggests running local DNS (thanks) but I have no experience of DNS and I had other areas of learning in mind for the moment. Unfortunately for you, I think running internal DNS is the closest to "ideal" that you're going to get. The basic concept is that outside on the internet, "mail.domain.com" resolves to the external interface that is forwarded to your internal machine. Inside your LAN, a custom DNS server answers your queries, and it points "mail.domain.com" directly to the machine on the local LAN. Thus, you only need put "mail.domain.com" into your POP3 config and it always points to the right place. I've also heard that newer versions of BIND have a more elegant way of doing the same thing, but I don't have any experience with that yet. Can anyone think of another solution? So far, only the other idea I describe above. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
On Saturday, March 15, 2003, at 03:06 am, Bill Moran wrote: Matthew Ryan wrote: On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't "route out" is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? I don't fully understand the question. What exactly do you mean by "from home"? Is the mail server behind the firewall? You can port forward/reroute just about anything to anywhere, with enough time and patience. But there's not enough information in the statement you just made for anyone to help you much. sorry, i'll try to be more explicit. I have a number of services on ports forwarded from my external IP address to an internal IP address via NAT as we have discussed. The problem is that I can not access these services from inside nat. Example - My mail server address resolves to my external IP number. It's primarily a mobility issue. From inside NAT I can't collect my mail unless I specifically point my browser at the internal IP number of my mail server. Yes I can get around this with some sort of client location manager or by connecting to the internet via a route other than my LAN, but none of these options are ideal. I am hoping for a routing solution, and I am pleased to read your comforting words: You can port forward/reroute just about anything to anywhere, with enough time and patience. Lowell Gilbert suggests running local DNS (thanks) but I have no experience of DNS and I had other areas of learning in mind for the moment. Can anyone think of another solution? Thanks again Matthew Ryan [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Matthew Ryan <[EMAIL PROTECTED]> writes: > On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: > > >> Fact is, natd _only_ redirects from the interface is was told to > >> bind to. > >> I'm not exactly sure why the packets don't route out and back in > >> when you > >> try it from inside, but they don't ;( so you always need to test it > >> from > >> the external interface. > > > > The reason they don't "route out" is that they are addressed to the > > router, so it doesn't bother to forward them outside. > > > Ok, I understand, this does present me with a bit of a problem > however, accessing my mail server from home for example. Can you think > of a workaround? Sure. Use the inside IP address of the server. You can run your own DNS server to make this easy. I do this with my home network; I run it on the same machine as the mail server, and the DNS isn't accessible from outside the home network. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Matthew Ryan wrote: On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't "route out" is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? I don't fully understand the question. What exactly do you mean by "from home"? Is the mail server behind the firewall? You can port forward/reroute just about anything to anywhere, with enough time and patience. But there's not enough information in the statement you just made for anyone to help you much. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
On Saturday, March 15, 2003, at 12:13 am, Lowell Gilbert wrote: Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. The reason they don't "route out" is that they are addressed to the router, so it doesn't bother to forward them outside. Ok, I understand, this does present me with a bit of a problem however, accessing my mail server from home for example. Can you think of a workaround? Ta Matthew Ryan [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Bill Moran <[EMAIL PROTECTED]> writes: > Matthew Ryan wrote: > > The /etc/rc.conf entry: > > natd_flags="-redirect_port tcp 192.168.1.241: " > > was fine since: > > natd_interface="ep0" > > specified the interface. > > All in all I just should have posted the whole of my /etc/rc.conf in > > the first place. > > Sorry about that. > > The real irony is that it was working all along!! > > I just didn't know because i was trying to access the service on the > > external IP address of my router from an internal IP address. > > When I tried to access it via. my other connection (in effect from > > outside) everything worked fine. > > I'm sure that there is some reasonable explanation for this to do > > with the way that NAT operates but I can't figure it out. > > Fact is, natd _only_ redirects from the interface is was told to bind to. > I'm not exactly sure why the packets don't route out and back in when you > try it from inside, but they don't ;( so you always need to test it from > the external interface. The reason they don't "route out" is that they are addressed to the router, so it doesn't bother to forward them outside. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Matthew Ryan wrote: The /etc/rc.conf entry: natd_flags="-redirect_port tcp 192.168.1.241: " was fine since: natd_interface="ep0" specified the interface. All in all I just should have posted the whole of my /etc/rc.conf in the first place. Sorry about that. The real irony is that it was working all along!! I just didn't know because i was trying to access the service on the external IP address of my router from an internal IP address. When I tried to access it via. my other connection (in effect from outside) everything worked fine. I'm sure that there is some reasonable explanation for this to do with the way that NAT operates but I can't figure it out. Fact is, natd _only_ redirects from the interface is was told to bind to. I'm not exactly sure why the packets don't route out and back in when you try it from inside, but they don't ;( so you always need to test it from the external interface. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Bill and Dan, Thanks for your help guys it's sort of working now but for the record here's the story. All attempts to start port forwarding from the command line were failing because NATD was already running (enabled at boot time) DOH! b) natd isn't already running with different options when you try to start it on the command line? Well spotted Bill! The /etc/rc.conf entry: natd_flags="-redirect_port tcp 192.168.1.241: " was fine since: natd_interface="ep0" specified the interface. All in all I just should have posted the whole of my /etc/rc.conf in the first place. Sorry about that. The real irony is that it was working all along!! I just didn't know because i was trying to access the service on the external IP address of my router from an internal IP address. When I tried to access it via. my other connection (in effect from outside) everything worked fine. I'm sure that there is some reasonable explanation for this to do with the way that NAT operates but I can't figure it out. Any clues? Thanks Again Matthew Ryan [EMAIL PROTECTED] Daniel Bye wrote: On Fri, Mar 14, 2003 at 01:07:42PM +, Matthew Ryan wrote: Thanks Dan Unfortunately that doesn't seem to work either. Rats! I get this when I enter on the command line: natd -n ep0 -redirect_port tcp 192.168.1.241: natd: Unable to create divert socket.: Operation not permitted Silly question, I'm almost blushing to ask - you are running the command as root, yes? Also ... are you sure that: a) You have your kernel configured with IPDIVERT? The GENERIC kernel does _not_. b) natd isn't already running with different options when you try to start it on the command line? and no results using the following in /etc/rc.conf: natd_flags="-n ep0 -redirect_port tcp 192.168.1.241: " By the way, the interface is specified already in /etc/rc.conf as follows?: natd_interface="ep0" This is redundant. You can remove the "-n ep0" from natd_flags. any other ideas? I don't know _whats_ wrong. But I've got this running in two places with no problems. It works just fine, and as far as I can see, the syntax you're using is correct, so I wouldn't focus on that. Let us know what you find when you check the suggestions I made ... I have other suggestions if those don't help. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message Matthew Ryan [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Daniel Bye wrote: On Fri, Mar 14, 2003 at 01:07:42PM +, Matthew Ryan wrote: Thanks Dan Unfortunately that doesn't seem to work either. Rats! I get this when I enter on the command line: natd -n ep0 -redirect_port tcp 192.168.1.241: natd: Unable to create divert socket.: Operation not permitted Silly question, I'm almost blushing to ask - you are running the command as root, yes? Also ... are you sure that: a) You have your kernel configured with IPDIVERT? The GENERIC kernel does _not_. b) natd isn't already running with different options when you try to start it on the command line? and no results using the following in /etc/rc.conf: natd_flags="-n ep0 -redirect_port tcp 192.168.1.241: " By the way, the interface is specified already in /etc/rc.conf as follows?: natd_interface="ep0" This is redundant. You can remove the "-n ep0" from natd_flags. any other ideas? I don't know _whats_ wrong. But I've got this running in two places with no problems. It works just fine, and as far as I can see, the syntax you're using is correct, so I wouldn't focus on that. Let us know what you find when you check the suggestions I made ... I have other suggestions if those don't help. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
On Fri, Mar 14, 2003 at 01:07:42PM +, Matthew Ryan wrote: > Thanks Dan > > Unfortunately that doesn't seem to work either. Rats! > I get this when I enter on the command line: > > natd -n ep0 -redirect_port tcp 192.168.1.241: > > natd: Unable to create divert socket.: Operation not permitted Silly question, I'm almost blushing to ask - you are running the command as root, yes? > and no results using the following in /etc/rc.conf: > > natd_flags="-n ep0 -redirect_port tcp 192.168.1.241: " > > By the way, the interface is specified already in /etc/rc.conf as > follows?: > > natd_interface="ep0" This will ensure it's picked up at boot time, as Bill stated, but won't affect the stuff you do on the commandline. > any other ideas? If it's not because you are running as a non-root user, no, not really. > > Ta > > Matthew Ryan > > [EMAIL PROTECTED] -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Daniel Bye wrote: On Fri, Mar 14, 2003 at 10:30:28AM +, Matthew Ryan wrote: natd -redirect_port tcp 192.168.1.241: but here's what i get: natd: aliasing address not given That's because natd can't determine which interface it should use for aliasing. Try specifying it with the -n flag: # natd -n xl0 -redirect... Replace xl0 with whatever your external interface is. Use the natd_interface="xl0" syntax in /etc/rc.conf to add this to the startup procedure. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
Thanks Dan Unfortunately that doesn't seem to work either. I get this when I enter on the command line: natd -n ep0 -redirect_port tcp 192.168.1.241: natd: Unable to create divert socket.: Operation not permitted and no results using the following in /etc/rc.conf: natd_flags="-n ep0 -redirect_port tcp 192.168.1.241: " By the way, the interface is specified already in /etc/rc.conf as follows?: natd_interface="ep0" any other ideas? Ta Matthew Ryan [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Port Forwarding FreeBSD 4.7_Release
On Fri, Mar 14, 2003 at 10:30:28AM +, Matthew Ryan wrote: > Hi there, > > I've been trying to route packets received on port via the > external interface (used by NAT) of my FreeBSD gateway to the same port > on a local machine. > > The manual would seem to make this simple stuff - I have added the > following line to /etc/rc.conf: > > natd_flags="-redirect_port tcp 192.168.1.241: " > > accessing this service on the local machine via the local address is > fine but a port scan from the outside, reveals that the relevant ports > appear closed still. Needless to say - the service is unavailable. > > I have tried entering the following on the command line (with and > without the /etc/rc.conf flag): > > natd -redirect_port tcp 192.168.1.241: > > but here's what i get: > > natd: aliasing address not given That's because natd can't determine which interface it should use for aliasing. Try specifying it with the -n flag: # natd -n xl0 -redirect... Replace xl0 with whatever your external interface is. HTH, Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: port forwarding
> > What is the easiest way of forwarding a port in FreeBSD. Suppose I want > > my server to listen on port 8280, but want all connection attempts to port > > 80 to be forwarded to this port ... can that be done? Put this in /etc/ipnat.rules rdr dc0 0/0 port 80 -> 127.0.0.1 port 8280 tcp And this in /etc/rc.conf ipfilter_enable="YES" ipnat_enable="YES" ipmon_enable="YES" ipfs_enable="YES" I am using similar configuration for squid. But remember to check the documentation first. Here is a great article http://www.defcon1.org/~ghostrdr/FreeBSD-STABLE_and_IPFILTER.html To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: port forwarding
Hiho. On Thu, 21 Nov 2002 18:48:03 -0800 (PST) Shvetima Gulati <[EMAIL PROTECTED]> wrote: > What is the easiest way of forwarding a port in FreeBSD. Suppose I > want my server to listen on port 8280, but want all connection > attempts to port 80 to be forwarded to this port ... can that be > done? Install "rinetd" from the ports. In the rinetd.conf you will type: 80 8280 or 0.0.0.0 80 8280 asg To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: port forwarding
On Thu, 21 Nov 2002, Shvetima Gulati wrote: > > Hi all, > > What is the easiest way of forwarding a port in FreeBSD. Suppose I want > my server to listen on port 8280, but want all connection attempts to port > 80 to be forwarded to this port ... can that be done? > > Thanks, > Shv Yes, with IPFilter. In particular, you want to look at the ipnat part of IPFilter, and the rdr (redirect) keyword. Be sure to redirect to the loopback interface (lo0). man ipf man 5 ipf man ipnat man 5 ipnat Marco Radzinschi E-Mail: [EMAIL PROTECTED] Thu Nov 21 22:56:35 EST 2002 To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
