quick FW question

William Michael Grim wgrim at siue.edu
Tue May 11 21:00:24 PDT 2004


Hello!

If you would like to properly forward traffic to your mail server THROUGH
the firewall, you need to have your firewall do it through NAT.  By doing
it through NAT (natd), it will change the IP headers for you so the
traffice travels correctly.  It took me a while to figure this out when
trying to forward ssh and httpd to an internal machine.

Setup your rc.conf like this:
natd_enable="YES"
natd_flags="-f /etc/natd.conf"

In my natd.conf, I have a setup like this (you will need to change the
redirect lines though):
# Useful for trying not to break RFCs.

use_sockets
same_ports

# My public interface

interface dc0

# Use this since the public interface is set by DHCP.

dynamic

unregistered_only

log_ipfw_denied

redirect_port tcp 192.168.0.101:23 23
redirect_port tcp 192.168.0.101:8080 8080
#redirect_port tcp 192.168.0.101:389 389
#redirect_port tcp 192.168.0.101:636 636

William Michael Grim
Student, Southern Illinois University at Edwardsville
Unix Network Administrator, SIUE, Computer Science dept.
Phone: (217) 341-6552
Email: wgrim at siue.edu



On Wed, 12 May 2004, Tim Aslat wrote:

> I hope this isn't too off topic, but I'd like a quick solution to a
> problem.
> 
> I have a small network behind a NAT firewall (FreeBSD of course) and I'd
> like to block/redirect all traffic from the internal network to the
> local mail server (same box as firewall) in order to prevent direct smtp
> requests to the outside world (mainly virus/trokan programs).
> 
> I think I have it right in this rule, but I would prefer to get a
> second, or even a third opinion.
> 
> ipfw add fwd 127.0.0.1,25 tcp from any to me dst-port 25
> 
> Cheers
> 
> Tim
> 
> -- 
> Tim Aslat <tim at spyderweb.com.au>
> Spyderweb Consulting
> http://www.spyderweb.com.au
> Phone: +61 0401088479
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
> 



More information about the freebsd-security mailing list