On Thu, 12 Jul 2001, Mike Hoskins wrote:
> On Thu, 12 Jul 2001, Matt Dillon wrote:
>
> > My new 'firewall' manual page has an ipfw example of a natd setup.
> > It might help. You need a relatively recent -stable to have the
> > man page.
>
> I see the page... Thanks, btw. However, it still seems fubar. Like I
> said before, natd's configuration looks simple enough, but packets aren't
> getting through. If I add an ipfw rule to just allow traffic to the
> outside port (8080), I see incoming packets hitting the rule... but no
> connection (no real fowarding to the internal ip:port). If I run a
> sniffer on the outside interface, I see connection attempts to
> 8080... run the same sniffer on the internal interface, nothing.
>
> My first thought was 'duh, the packets have to get to natd somehow so
> redirect_port can actually do something...' but changing the 8080 allow to
> a divert doesn't fix the problem. So next I figured one piece of the
> conversation was dying... somewhere... I.e. inbound's fine but I'm
> fscking something up outbound... but no denied packets in logs.
>
> It certainly seems like natd's working and ipfw just isn't allowing
> packets to get 'into' natd for the redirect. Unfortuneately, I've tried
> about everything in ipfw and natd's man page and am still stumped. Then
> again, I may very well be taking the wrong approach entirely. I've opened
> the firewall completely (allow ip any any...), and it didn't help.
>
> I knew today would be great when it started with big brother alerts at
> 4AM. ;) It wouldn't be so bad if I hadn't had this working before... I
> hate that.
>
> Thanks,
> -Mike
>
> --
> Eat drink and be merry, for tomorrow they may make it illegal.
>
>
Would something like this in your /etc/rc.conf do the trick:
natd_flags="-proxy_rule port 8080 server 1.2.3.4:my_divert_port"
This should divert incoming packets on port 8080 to the server 1.2.3.4 on
port my_divert_port. I use this on a firewall to send web traffic to our
cache server. Mine looks like this:
natd_flags="-proxy_rule port 80 server 1.2.3.4:3128"
RJ
---------------------
Ryan J. Taylor
Systems/Network Administrator
NCIA
[EMAIL PROTECTED]
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-stable" in the body of the message
