Re: Questions on IPFW???

2004-08-03 Thread Hakim Z. Singhji 
Thanks buddy...I appreciate it.

-Original Message-
From: Chuck Swiger <[EMAIL PROTECTED]>
Sent: Aug 3, 2004 1:11 PM
To: "Hakim Z. Singhji" <[EMAIL PROTECTED]>, 
freebsd Questions <[EMAIL PROTECTED]>
Subject: Re: Questions on IPFW???

Hakim Z. Singhji wrote:
> You answered my question, I wanted to know which was better to use with
> port forwarding (ipfw or natd) and based on what you wrote, natd is a
> better fit due to the fact that I would not have to force the other machine
> to accept packets redirected from the NAT box using natd.  Is that
> correct???

That's right.  Most people want to use NAT, because it lets you set up an 
internal network without having to specially configure the internal machines.

With regard to your other question, if you want an external connection to, 
say, port 22 to be forwarded to port 22 on some machine on your internal 
network, use:

redirect_port tcp 192.0.0.5:22 22

...in /etc/natd.conf or your natd_flags in /etc/rc.conf.

-- 
-Chuck



___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Questions on IPFW???

2004-08-03 Thread Chuck Swiger 
Hakim Z. Singhji wrote:
You answered my question, I wanted to know which was better to use with
port forwarding (ipfw or natd) and based on what you wrote, natd is a
better fit due to the fact that I would not have to force the other machine
to accept packets redirected from the NAT box using natd.  Is that
correct???
That's right.  Most people want to use NAT, because it lets you set up an 
internal network without having to specially configure the internal machines.

With regard to your other question, if you want an external connection to, 
say, port 22 to be forwarded to port 22 on some machine on your internal 
network, use:

redirect_port tcp 192.0.0.5:22 22
...in /etc/natd.conf or your natd_flags in /etc/rc.conf.
--
-Chuck
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Questions on IPFW???

2004-08-03 Thread Hakim Z. Singhji 
Actually Chuck,

You answered my question, I wanted to know which was better to use with port 
forwarding (ipfw or natd) and based on what you wrote, natd is a better fit due to the 
fact that I would not have to force the other machine to accept packets redirected 
from the NAT box using natd.  Is that correct???

-Original Message-
From: "Hakim Z. Singhji" <[EMAIL PROTECTED]>
Sent: Aug 3, 2004 12:49 PM
To: Chuck Swiger <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: Questions on IPFW???

Hello Chuck,

I was wondering if someone could help me answer some questions I have concerning IPFW 
vs. natd I am trying to allow my FreeBSD 4.10 gateway to perform port forwarding for 
SSH, SQL*Net and Webservice (Web not as important yet). 

I wanted to know if I can use IPFW as opposed to natd to redirect or pass TCP & UDP 
(is ICMP out of the question???) to a remote location.  Gateway::192.0.0.1:22 --> 
remote server 192.0.0.5:22 or 192.0.0.5:9881 for instance. From the configuration of 
ipfw it appears that it can be done instead of using natd.

Any suggestions or corrections of my logic welcome. Thanks in advance.

HZS

-Original Message-
From: Chuck Swiger <[EMAIL PROTECTED]>
Sent: Aug 3, 2004 12:40 PM
To: "Hakim Z. Singhji" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: Questions on IPFW???

Hakim Z. Singhji wrote:
> Question, when NAT overloading is it possible to use only IPFW rules to
> pass TCP/UDP packects to remote ip addresses within the network?

I don't know what "NAT overloading" means.

It is possible to use only IPFW rules to pass TCP & UDP packets from one 
interface to another using the fwd action.  However, note that:

   The fwd action does not change the contents of the packet at all.
   In particular, the destination address remains unmodified, so
   packets forwarded to another system will usually be rejected by
   that system unless there is a matching rule on that system to
   capture them.  For packets forwarded locally, the local address
   of the socket will be set to the original destination address of
   the packet.  This makes the netstat(1) entry look rather weird
   but is intended for use with transparent proxy servers.

> Or do you have to use natd...because IPFW allows you to execute
> the following for example:
> 
> ip from 192.168.99.100 80 to 192.168.99.101 9981
> 

That's the body of an IPFW rule which matches packets with those attributes. 
Without an action ("allow", "deny", "fwd"), what you've written isn't a 
complete rule: it doesn't mean anything by itself.

> or even in conjunction with a dummynet rule of somesort?

Um.  Do you understand the question you are asking?

I don't-- perhaps try using a complete sentence.  Better yet, why don't you 
tell us what your network looks like and what you want to do.  You most likely 
will receive answers which are more specific and more useful to you...

-- 
-Chuck


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Questions on IPFW???

2004-08-03 Thread Hakim Z. Singhji 
Hello Chuck,

I was wondering if someone could help me answer some questions I have concerning IPFW 
vs. natd I am trying to allow my FreeBSD 4.10 gateway to perform port forwarding for 
SSH, SQL*Net and Webservice (Web not as important yet). 

I wanted to know if I can use IPFW as opposed to natd to redirect or pass TCP & UDP 
(is ICMP out of the question???) to a remote location.  Gateway::192.0.0.1:22 --> 
remote server 192.0.0.5:22 or 192.0.0.5:9881 for instance. From the configuration of 
ipfw it appears that it can be done instead of using natd.

Any suggestions or corrections of my logic welcome. Thanks in advance.

HZS

-Original Message-
From: Chuck Swiger <[EMAIL PROTECTED]>
Sent: Aug 3, 2004 12:40 PM
To: "Hakim Z. Singhji" <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: Questions on IPFW???

Hakim Z. Singhji wrote:
> Question, when NAT overloading is it possible to use only IPFW rules to
> pass TCP/UDP packects to remote ip addresses within the network?

I don't know what "NAT overloading" means.

It is possible to use only IPFW rules to pass TCP & UDP packets from one 
interface to another using the fwd action.  However, note that:

   The fwd action does not change the contents of the packet at all.
   In particular, the destination address remains unmodified, so
   packets forwarded to another system will usually be rejected by
   that system unless there is a matching rule on that system to
   capture them.  For packets forwarded locally, the local address
   of the socket will be set to the original destination address of
   the packet.  This makes the netstat(1) entry look rather weird
   but is intended for use with transparent proxy servers.

> Or do you have to use natd...because IPFW allows you to execute
> the following for example:
> 
> ip from 192.168.99.100 80 to 192.168.99.101 9981
> 

That's the body of an IPFW rule which matches packets with those attributes. 
Without an action ("allow", "deny", "fwd"), what you've written isn't a 
complete rule: it doesn't mean anything by itself.

> or even in conjunction with a dummynet rule of somesort?

Um.  Do you understand the question you are asking?

I don't-- perhaps try using a complete sentence.  Better yet, why don't you 
tell us what your network looks like and what you want to do.  You most likely 
will receive answers which are more specific and more useful to you...

-- 
-Chuck


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Questions on IPFW???

2004-08-03 Thread Chuck Swiger 
Hakim Z. Singhji wrote:
Question, when NAT overloading is it possible to use only IPFW rules to
pass TCP/UDP packects to remote ip addresses within the network?
I don't know what "NAT overloading" means.
It is possible to use only IPFW rules to pass TCP & UDP packets from one 
interface to another using the fwd action.  However, note that:

  The fwd action does not change the contents of the packet at all.
  In particular, the destination address remains unmodified, so
  packets forwarded to another system will usually be rejected by
  that system unless there is a matching rule on that system to
  capture them.  For packets forwarded locally, the local address
  of the socket will be set to the original destination address of
  the packet.  This makes the netstat(1) entry look rather weird
  but is intended for use with transparent proxy servers.
Or do you have to use natd...because IPFW allows you to execute
the following for example:

ip from 192.168.99.100 80 to 192.168.99.101 9981

That's the body of an IPFW rule which matches packets with those attributes. 
Without an action ("allow", "deny", "fwd"), what you've written isn't a 
complete rule: it doesn't mean anything by itself.

or even in conjunction with a dummynet rule of somesort?
Um.  Do you understand the question you are asking?
I don't-- perhaps try using a complete sentence.  Better yet, why don't you 
tell us what your network looks like and what you want to do.  You most likely 
will receive answers which are more specific and more useful to you...

--
-Chuck
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"