Re: FreeBSD 4.2 ipfw natd -- Port Forwarding?

["Crist Clark" <crist.clark () globalstar com>]

Russ wrote:
> Hi, fist time poster, thanks for the cool mailing list...

But you'd still probably be much better off at,

  freebsd-questions () freebsd org,

Or if your questions eventually become more technical, 

  freebsd-ipfw () freebsd org

> I am using FreeBSD 4.2 and have set up a pretty good firewall using ipfw
> and natd via some tutorials and documentation I have found. So it works but
> now I need to customize it a little...
>
> Question:  How can I allow incoming connections through my firewall.  The
> client lets me specify what port to listen to incoming requests on, before
> I was using a router that had built in port forwarding... So the client is
> set to listen on 8877 and router forwards incoming request to port 8877 to
> computer with ip 192.168.1.3 for port 8877, you get the picture?
>
> I would like to learn how to write the rule in my ipfw script that might do
> the same thing, forward incoming requests to my external ip on port xxxx to
> internal ip xxx.xxx.xxx.xxx port xxxx.  The port would not change of course...

ipfw(8) does not do this type of "forwarding." This is a job for natd(8).
See 'redirect_port' on the natd(8) manpage. Remember that ipfw never 
actually changes the contents of a packet (not 100% true, but close enough),
so if you ever want to do something like redirects (which is changing the
packet when it rewrites the address) you need another tool.

> how do I write the rule? I suppose this rule could be used for any incoming
> request, and I am sure people use it to allow access to http and ftp
> through a firewall, so there must be an acceptable rule to do it, any ideas?
>
> $ipfw pass tcp "for port 8877 only" to 192.168.1.3:8877 via $oif (external
> interface) ?  I have no clue how it should be.

You will still need rules to pass the traffic through the firewall,
but natd does the redirect. So, your natd(8) command line would be like,

  # natd -n $oif -redirect_port xxx.xxx.xxx.xxx:8877 8877 

(I assume you can translate that into what goes into rc.conf), and
off the top of my head your firewall rules would be something like,

  $ipfw pass tcp from any any to $oip 8877 in via $oif
  $ipfw pass tcp from any any to xxx.xxx.xxx.xxx 8877 out via $iif

To allow the traffic _in._ You may or may not need more rules to let
it back out depending on how strict you set up your outgoing traffic.
-- 
Crist J. Clark                                Network Security Engineer
crist.clark () globalstar com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster () globalstar com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards