Re: IPFW Firewall NAT inbound port-redirect
From: Michael Sierchio ku...@tenebras.com To: Dan Nelson dnel...@allantgroup.com Cc: Bill Tillman btillma...@yahoo.com; freebsd-questions@freebsd.org Sent: Tue, July 12, 2011 6:35:19 PM Subject: Re: IPFW Firewall NAT inbound port-redirect We're not talking about natd. The question was about the use of ipfirewall nat. On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson dnel...@allantgroup.com wrote: In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
I'm familiar with natd since its appearance. I was unclear on the ipfirewall nat syntax, since there is no syntax definition in the man page. It's true the man page is already too large, but some examples (somewhere) would be nice. Marshaling packets into userland and back into the kernel makes natd much slower than kernel nat. The statement follow closely the syntax used in natd is not particularly reassuring, since it doesn't declare that the syntax is identical, and (I am repeating myself, sorry), there is no syntax def in the man page. Thanks, Dan, for explaining. - M On Tue, Jul 12, 2011 at 11:05 PM, Bill Tillman btillma...@yahoo.com wrote: From: Michael Sierchio ku...@tenebras.com To: Dan Nelson dnel...@allantgroup.com Cc: Bill Tillman btillma...@yahoo.com; freebsd-questions@freebsd.org Sent: Tue, July 12, 2011 6:35:19 PM Subject: Re: IPFW Firewall NAT inbound port-redirect We're not talking about natd. The question was about the use of ipfirewall nat. On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson dnel...@allantgroup.com wrote: In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
Michael Sierchio wrote: I'm familiar with natd since its appearance. I was unclear on the ipfirewall nat syntax, since there is no syntax definition in the man page. It's true the man page is already too large, but some examples (somewhere) would be nice. Marshaling packets into userland and back into the kernel makes natd much slower than kernel nat. This is no longer true as some while ago IPFW's NATD switched over to being kernel-based. A long time ago when NATD was still userland I switched to Darren Reed's IPFILTER for just this reason. The first thing this entailed was learning the IPFILTER syntax as it was somewhat different from IPFW. I made the adjustment and later I found when I moved to PF the syntax from IPFILTER was closer to PF which made it easier to migrate. The statement follow closely the syntax used in natd is not particularly reassuring, since it doesn't declare that the syntax is identical, and (I am repeating myself, sorry), there is no syntax def in the man page. [snip] NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. All trueness here. I have used all three: IPFW, IPFILTER, and PF. I use PF today, but any of the three will work just fine for essentially the same purpose (mostly). For example, IPFW had dummynet for traffic-shaping while PF uses ALTQ for essentially the same purpose. Mostly it is just grokking the syntax for whichever of the three you choose. The Handbook contains some content examples for getting started for IPFW and the PF docs can be found on the OpenBSD web site. Understand the syntax and you can shape the firewall however you choose. The various ruleset examples should probably not just be dropped in cut-and-paste style, but rather dissected line by line for understanding and then make tweaks which conform to exactly your local requirements. And it _is_ some arcane stuff to be sure, but stare at it long enough and it'll make sense eventually. :-) -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
Mike - You're confused. natd is still a userland process that works via divert sockets. ipfirewall nat is an extension to ipfirewall (ipfw is the userland control program to modify the rulesets, nat config, tables, etc.). - Michael On Tue, Jul 12, 2011 at 11:51 PM, Michael Powell nightre...@hotmail.com wrote: Michael Sierchio wrote: I'm familiar with natd since its appearance. I was unclear on the ipfirewall nat syntax, since there is no syntax definition in the man page. It's true the man page is already too large, but some examples (somewhere) would be nice. Marshaling packets into userland and back into the kernel makes natd much slower than kernel nat. This is no longer true as some while ago IPFW's NATD switched over to being kernel-based. A long time ago when NATD was still userland I switched to Darren Reed's IPFILTER for just this reason. The first thing this entailed was learning the IPFILTER syntax as it was somewhat different from IPFW. I made the adjustment and later I found when I moved to PF the syntax from IPFILTER was closer to PF which made it easier to migrate. The statement follow closely the syntax used in natd is not particularly reassuring, since it doesn't declare that the syntax is identical, and (I am repeating myself, sorry), there is no syntax def in the man page. [snip] NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. All trueness here. I have used all three: IPFW, IPFILTER, and PF. I use PF today, but any of the three will work just fine for essentially the same purpose (mostly). For example, IPFW had dummynet for traffic-shaping while PF uses ALTQ for essentially the same purpose. Mostly it is just grokking the syntax for whichever of the three you choose. The Handbook contains some content examples for getting started for IPFW and the PF docs can be found on the OpenBSD web site. Understand the syntax and you can shape the firewall however you choose. The various ruleset examples should probably not just be dropped in cut-and-paste style, but rather dissected line by line for understanding and then make tweaks which conform to exactly your local requirements. And it _is_ some arcane stuff to be sure, but stare at it long enough and it'll make sense eventually. :-) -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
OK - I'm confused. Could be all the top posting. ;-) testbed# man ipfw Formatting page, please wait...Done. IPFW(8) FreeBSD System Manager's Manual IPFW(8) NAME ipfw -- User interface for firewall, traffic shaper, packet scheduler, in-kernel NAT. [...] kernel config options: options IPFIREWALL_NAT #ipfw kernel nat support With this option you do not need userland natd and NAT stays in the kernel and keywords are in the IPFW ruleset. I did indeed mis-speak wrt to natd as the above was conceived in IPFW2 to supersede userland natd. Been about maybe 7 or 8 years since I used IPFW, so the memory is rusty. Michael Sierchio wrote: Mike - You're confused. natd is still a userland process that works via divert sockets. ipfirewall nat is an extension to ipfirewall (ipfw is the userland control program to modify the rulesets, nat config, tables, etc.). - Michael On Tue, Jul 12, 2011 at 11:51 PM, Michael Powell nightre...@hotmail.com wrote: Michael Sierchio wrote: I'm familiar with natd since its appearance. I was unclear on the ipfirewall nat syntax, since there is no syntax definition in the man page. It's true the man page is already too large, but some examples (somewhere) would be nice. Marshaling packets into userland and back into the kernel makes natd much slower than kernel nat. This is no longer true as some while ago IPFW's NATD switched over to being kernel-based. A long time ago when NATD was still userland I switched to Darren Reed's IPFILTER for just this reason. The first thing this entailed was learning the IPFILTER syntax as it was somewhat different from IPFW. I made the adjustment and later I found when I moved to PF the syntax from IPFILTER was closer to PF which made it easier to migrate. The statement follow closely the syntax used in natd is not particularly reassuring, since it doesn't declare that the syntax is identical, and (I am repeating myself, sorry), there is no syntax def in the man page. [snip] NATD and IPFW work together. It's a little hard to explain in this format so as Dan suggests, you should read the manpage on each. Also, do some google searches and you will find many helpful articles. But take my word for this, you can do exactly what you want with IPFW+NATD. There are those who will probably promote PF as the firewall of choice as well. It all depends on what you become familiar with. All trueness here. I have used all three: IPFW, IPFILTER, and PF. I use PF today, but any of the three will work just fine for essentially the same purpose (mostly). For example, IPFW had dummynet for traffic-shaping while PF uses ALTQ for essentially the same purpose. Mostly it is just grokking the syntax for whichever of the three you choose. The Handbook contains some content examples for getting started for IPFW and the PF docs can be found on the OpenBSD web site. Understand the syntax and you can shape the firewall however you choose. The various ruleset examples should probably not just be dropped in cut-and-paste style, but rather dissected line by line for understanding and then make tweaks which conform to exactly your local requirements. And it _is_ some arcane stuff to be sure, but stare at it long enough and it'll make sense eventually. :-) -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
From: Dan Nelson dnel...@allantgroup.com To: Michael Sierchio ku...@tenebras.com Cc: freebsd-questions@freebsd.org Sent: Mon, July 11, 2011 1:07:31 PM Subject: Re: IPFW Firewall NAT inbound port-redirect In the last episode (Jul 11), Michael Sierchio said: Sorry for the naive question, but most of my old rulesets still use natd, and I've only used built-in nat for outbound traffic. I'd like to redirect certain ports on certain addresses to the same ports on internal (RFC1918) addresses. The examples in the man page aren't helpful, and the handbook still seems very natd-centric in its examples. Thanks in advance. I use this at the top of my /etc/ipfw.conf file (re0.2 is the interface corresponding to my internet connection) : nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 22 add nat 123 ip from any to any via re0.2 , which redirects incoming port 22 connections to 10.0.0.3. If you want to redirect more ports, add more redirect_port tcp host:port port expressions to the end of your nat line. I believe you can run the nat config command manually with a new list (as in ipfw nat 123 ...) to add/remove entries dynamically. I'm not at home to try it, and don't want to risk losing my remote connection if I mess up :) -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I have used IPFW for many years now. As for forwarding traffic from your gateway to internal machines I've always used the following in my /etc/natd.conf file: dynamic redirect_port tcp 10.0.0.254:80 80 # Apache Webserver inside my LAN redirect_port udp 10.0.0.214:1194 1194 # OpenVPN Port redirect_port tcp 10.0.0.213:443 443 # OpenVPN Port Of course you will need a line like this in your /etc/rc.conf to get natd to read this file: natd_flags=-f /etc/natd.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: ? On Tue, Jul 12, 2011 at 5:19 AM, Bill Tillman btillma...@yahoo.com wrote: From: Dan Nelson dnel...@allantgroup.com To: Michael Sierchio ku...@tenebras.com Cc: freebsd-questions@freebsd.org Sent: Mon, July 11, 2011 1:07:31 PM Subject: Re: IPFW Firewall NAT inbound port-redirect In the last episode (Jul 11), Michael Sierchio said: Sorry for the naive question, but most of my old rulesets still use natd, and I've only used built-in nat for outbound traffic. I'd like to redirect certain ports on certain addresses to the same ports on internal (RFC1918) addresses. The examples in the man page aren't helpful, and the handbook still seems very natd-centric in its examples. Thanks in advance. I use this at the top of my /etc/ipfw.conf file (re0.2 is the interface corresponding to my internet connection) : nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 22 add nat 123 ip from any to any via re0.2 , which redirects incoming port 22 connections to 10.0.0.3. If you want to redirect more ports, add more redirect_port tcp host:port port expressions to the end of your nat line. I believe you can run the nat config command manually with a new list (as in ipfw nat 123 ...) to add/remove entries dynamically. I'm not at home to try it, and don't want to risk losing my remote connection if I mess up :) -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org I have used IPFW for many years now. As for forwarding traffic from your gateway to internal machines I've always used the following in my /etc/natd.conf file: dynamic redirect_port tcp 10.0.0.254:80 80 # Apache Webserver inside my LAN redirect_port udp 10.0.0.214:1194 1194 # OpenVPN Port redirect_port tcp 10.0.0.213:443 443 # OpenVPN Port Of course you will need a line like this in your /etc/rc.conf to get natd to read this file: natd_flags=-f /etc/natd.conf ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
We're not talking about natd. The question was about the use of ipfirewall nat. On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson dnel...@allantgroup.com wrote: In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: IPFW Firewall NAT inbound port-redirect
In the last episode (Jul 12), Michael Sierchio said: On Tue, Jul 12, 2011 at 9:03 AM, Dan Nelson dnel...@allantgroup.com wrote: In the last episode (Jul 12), Michael Sierchio said: Is there a way of specifying a particular public address if there is more than one bound to the external interface? A la nat 123 config if re0.2 log same_ports redirect_port tcp 10.0.0.3:22 102.10.22.1: Yes; the redirect_port syntax is described in the natd manpage: redirect_port proto targetIP:targetPORT[-targetPORT] [aliasIP:]aliasPORT[-aliasPORT] [remoteIP[:remotePORT[-remotePORT]]] We're not talking about natd. The question was about the use of ipfirewall nat. Right, but ipfw nat is basically the userland libalias library loaded as a kernel module, so the config parameters are the same. $ grep MODULE_DEPEND /sys/netinet/ipfw/ip_fw_nat.c MODULE_DEPEND(ipfw_nat, libalias, 1, 1, 1); MODULE_DEPEND(ipfw_nat, ipfw, 2, 2, 2); also, man ipfw: NETWORK ADDRESS TRANSLATION (NAT) ipfw support in-kernel NAT using the kernel version of libalias(3). [..] REDIRECT AND LSNAT SUPPORT IN IPFW Redirect and LSNAT support follow closely the syntax used in natd(8). See Section EXAMPLES for some examples on how to do redirect and lsnat. -- Dan Nelson dnel...@allantgroup.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
IPFW Firewall NAT inbound port-redirect
Sorry for the naive question, but most of my old rulesets still use natd, and I've only used built-in nat for outbound traffic. I'd like to redirect certain ports on certain addresses to the same ports on internal (RFC1918) addresses. The examples in the man page aren't helpful, and the handbook still seems very natd-centric in its examples. Thanks in advance. - Michael ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: [freebsd-questions] Re: Quick+easy port redirect
In the last episode (Mar 28), Tuc at T-B-O-H.NET said: Is there a quick/easy (cookbook?) way to do port redirects. Basically I want that anything that leaves a specific interface to any ip on port 80 go to 192.168.0.1 port 87. I'm using ipfw for some other things so it has to work and play well with that. Make sure options IPFIREWALL_FORWARD is in your kernel config: ipfw add 500 forward 192.168.0.1 tcp from any to any 80 Note that this is a routing-style forward. The source and destination addresses are unchanged, so you will likely need another ipfw fwd rule at the destination machine to capture the traffic and force-forward it to 127.0.0.1:87 (or wherever you want it to go). If you're planning on passing the traffic to squid, there's a big FAQ section with some alternate methods: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy Hi, I tried that (Well, 192.168.0.1,87) and it seem to have any effect, as you said that its a routing style forward. It hits my router and that ignores it and keeps on processing normally. I really am looking for a NAT type situation here. I already use the InterceptionProxy wiki to get it to pass it to Squid, thats been running great. My problem is when my primary Wireless Broadband goes down, it needs to take satellite. When it takes satellite, to get a Web acceleration thing going, I need to force it to the satellite modem port 80. SO, as clunky as it is, I used a rule that anything outbound on tun1 (OpenVPN over the satellite) goes to 127.0.0.1,87, which rinetd outta ports sends it to 192.168.0.1,87. Thanks, Tuc I ended up ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Quick+easy port redirect
The freebsd-tips suggest: ports/net/netcat port is useful not only for redirecting input/output to TCP or UDP connections, but also for proxying them with inetd(8). Best wishes, Kemian On 29/03/2008, Tuc at T-B-O-H.NET [EMAIL PROTECTED] wrote: Hi, Is there a quick/easy (cookbook?) way to do port redirects. Basically I want that anything that leaves a specific interface to any ip on port 80 go to 192.168.0.1 port 87. I'm using ipfw for some other things so it has to work and play well with that. Thanks, Tuc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Quick+easy port redirect
On Sunday 30 March 2008 13:31, Kemian Dang wrote: The freebsd-tips suggest: ports/net/netcat port is useful not only for redirecting input/output to TCP or UDP connections, but also for proxying them with inetd(8). We need to update the tips, then: nc(1) doesn't have to be added from ports, it's been in the base system since 5.4. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Quick+easy port redirect
Tuc at T-B-O-H.NET skrev: Hi, Is there a quick/easy (cookbook?) way to do port redirects. Basically I want that anything that leaves a specific interface to any ip on port 80 go to 192.168.0.1 port 87. I'm using ipfw for some other things so it has to work and play well with that. Thanks, Tuc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] That leaves. You mean only outgoing traffic from the interface and not incoming? If you mean all traffic to and from, you could try bounce. /usr/ports/net/bounce Just my nickels worth. /Roger ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Quick+easy port redirect
On 29.03.2008, at 01:25, Tuc at T-B-O-H.NET wrote: Hi, Is there a quick/easy (cookbook?) way to do port redirects. Basically I want that anything that leaves a specific interface to any ip on port 80 go to 192.168.0.1 port 87. I'm using ipfw for some other things so it has to work and play well with that. Thanks, Tuc In case you want to try transparent proxying you need to look into firewalling. I can only tell you how this would work with OpebBSD's PF since I use it myself and quite like it. :-) Have a look at pf.conf(5), but it should work like this (in /etc/ pf.conf): + int_if = em0 rdr on $int_if proto tcp from $int_if:network port { 80 } - 192.168.0.1 port 87 + In this example you need to specify your network interface as int_if (in my case it is em0) If this doesn't suit your situation, you probably need to give us more information: The kind of network setup you use (eg internal - firewall - external) and what needs to connect to and from where. do you have a firewall solution in place (PF, ipfilter, ipfw)? And what do you need to achieve? br good luck, Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Quick+easy port redirect
Tuc at T-B-O-H.NET wrote: Hi, Is there a quick/easy (cookbook?) way to do port redirects. Basically I want that anything that leaves a specific interface to any ip on port 80 go to 192.168.0.1 port 87. I'm using ipfw for some other things so it has to work and play well with that. I'm reasonably sure this can be done with natd(8) but its been a while since I used ipfw and natd. Hopefully someone more expert than me can confirm this. Vince Thanks, Tuc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Quick+easy port redirect
In the last episode (Mar 28), Tuc at T-B-O-H.NET said: Is there a quick/easy (cookbook?) way to do port redirects. Basically I want that anything that leaves a specific interface to any ip on port 80 go to 192.168.0.1 port 87. I'm using ipfw for some other things so it has to work and play well with that. Make sure options IPFIREWALL_FORWARD is in your kernel config: ipfw add 500 forward 192.168.0.1 tcp from any to any 80 Note that this is a routing-style forward. The source and destination addresses are unchanged, so you will likely need another ipfw fwd rule at the destination machine to capture the traffic and force-forward it to 127.0.0.1:87 (or wherever you want it to go). If you're planning on passing the traffic to squid, there's a big FAQ section with some alternate methods: http://wiki.squid-cache.org/SquidFaq/InterceptionProxy -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Quick+easy port redirect
Hi, Is there a quick/easy (cookbook?) way to do port redirects. Basically I want that anything that leaves a specific interface to any ip on port 80 go to 192.168.0.1 port 87. I'm using ipfw for some other things so it has to work and play well with that. Thanks, Tuc ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
port redirect
I have a freebsd machine set in place to do NAT for my local network. I am now currently forwarding one port. I would like to forward another port as well to the same address. This is what im using in rc.conf to forward a single port to a single address. /sbin/natd -redirect_port tcp 192.168.1.106: -n sis0 where is the port number. This also brings up another question. If was to find a need to port forward to more then one address inside my netwrok. What would the syntax look like. Thanks for all your time. Shawn ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: port redirect
wrap please, tnx. On Mon, 19 Jan 2004 14:07:35 -0500 Shawn Guillemette [EMAIL PROTECTED] wrote: I have a freebsd machine set in place to do NAT for my local network. I am now currently forwarding one port. I would like to forward another port as well to the same address. This is what im using in rc.conf to forward a single port to a single address. /sbin/natd -redirect_port tcp 192.168.1.106: -n sis0 where is the port number. This also brings up another question. If was to find a need to port forward to more then one address inside my netwrok. What would the syntax look like. Something like: **buh*|/home/itetcu# cat /etc/rc.conf | grep natd: natd_enable=YES natd_flags=-f /etc/natd.conf -l -log_denied -m -u **buh*|/home/itetcu# cat /etc/natd.conf interface rl0 redirect_port tcp 192.168.0.10:80 80 redirect_port udp 192.168.0.13:110 110 log_ipfw_denied See natd(8) fro details. If you want to forward one port to more that one address, that is another question. -- IOnut Unregistered ;) FreeBSD user ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: port redirect with ipfw NOT NAT (not NAT)
Some time in the recent past Lowell Gilbert scribbled: Josh Brooks [EMAIL PROTECTED] writes: Have you tried something like: add 01000 fwd 10.10.10.10,5050 tcp from any to 10.10.10.10 50 When I do this, I get: ipfw: getsockopt(IP_FW_ADD): Invalid argumentipfw: getsockopt(IP_FW_ADD): Invalid argument Any ideas ? Is there any reason why port forwarding with ipfw is special and annoying ? Or is there really something qualitatively different about this action that warrants this behavior ? I don't see anything wrong with your syntax on that command and I use a similar command to foward to my transparent proxy. The only thing *I* can think of is that you didn't compile your kernel with: options IPFIREWALL_FORWARD -- Chris To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: port redirect with ipfw NOT NAT (not NAT)
Josh Brooks [EMAIL PROTECTED] writes: Have you tried something like: add 01000 fwd 10.10.10.10,5050 tcp from any to 10.10.10.10 50 When I do this, I get: ipfw: getsockopt(IP_FW_ADD): Invalid argumentipfw: getsockopt(IP_FW_ADD): Invalid argument Any ideas ? Is there any reason why port forwarding with ipfw is special and annoying ? Or is there really something qualitatively different about this action that warrants this behavior ? Do you, perhaps, mean something like: If ipaddr is not a local address, then the port number (if speci- fied) is ignored, and the packet will be forwarded to the remote address, using the route as found in the local routing table for that IP. To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
port redirect with ipfw NOT NAT (not NAT)
Hello, I want to perform a very simple act: All traffic going to 10.10.10.10 port 50 should go to 10.10.10.10 port 5050 That's it. The trick is, I am _not_ interested in running NAT. This is not some cable modem or laptop splitting my DSL service - this is a rackmount firewall on a real network. So again, I do not have any interest in running NAT in any form. Not interested, thanks. But, I cannot seem to figure out what the ipfw rule is to perform this simple task. So the question is: What is the ipfw syntax to redirect all traffic from one port to another. Thanks! To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: port redirect with ipfw NOT NAT (not NAT)
Hello, I want to perform a very simple act: All traffic going to 10.10.10.10 port 50 should go to 10.10.10.10 port 5050 That's it. The trick is, I am _not_ interested in running NAT. This is not some cable modem or laptop splitting my DSL service - this is a rackmount firewall on a real network. So again, I do not have any interest in running NAT in any form. Not interested, thanks. But, I cannot seem to figure out what the ipfw rule is to perform this simple task. So the question is: What is the ipfw syntax to redirect all traffic from one port to another. Thanks! Have you tried something like: add 01000 fwd 10.10.10.10,5050 tcp from any to 10.10.10.10 50 --- Scott A. Moberly [EMAIL PROTECTED] To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message