RE: IPFW NATD

• Previous message: Tom Connolly: "RE: topposting (was: colourization in ls command)"
• Maybe in reply to: Brian : "IPFW NATD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: "'FreeBSD Questions'" <freebsd-questions@freebsd.org>
Date: Fri, 15 Oct 2004 16:39:42 +0100

<snip>
Hi

I'm trying to setup natd to port forward to a http,ftp and vnc server behind
the natd box

But I only want a customer from their static ip address to be able to login
and block everything else

Is this possible in an natd enviroment?

Any examples?

Port forwarding works ok, I just can't figure out the rules to stop everyone
and allow this one client

Cheers

Brian

Brian,
If you've got the portforwarding working, then a few IPFW rules will add the
security you're looking for. If your divert rule is number 100, then add a
few rules above it, like this:

ipfw add 50 skipto 100 tcp from [static.ip.of.customer] to
[public.ip.of.nat.box] 80 ipfw add 51 skipto 100 tcp from
[static.ip.of.customer] to [public.ip.of.nat.box] 21 ipfw add 52 skipto 100
tcp from [static.ip.of.customer] to [public.ip.of.nat.box] [VNC port] ipfw
add 53 deny tcp from any to [public.ip.of.nat.box] 80 ipfw add 54 deny tcp
from any to [public.ip.of.nat.box] 21 ipfw add 55 deny tcp from any to
[public.ip.of.nat.box] [VNC port]

The first three rules pass the traffic from the specified IP, to the divert
rule, to natd, and get portforwaded. Any other traffic on those ports get
blocked, and doesn't get diverted.

<snip>

This worked a treat, thanks very much.

Brian

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.773 / Virus Database: 520 - Release Date: 05/10/2004
 
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org"

• Previous message: Tom Connolly: "RE: topposting (was: colourization in ls command)"
• Maybe in reply to: Brian : "IPFW NATD"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Relevant Pages How did they get past my NAT? ... kicked in on my VNC server - my desktop background image disappeared ... this point I panicked and shutdown the VNC service ASAP. ... My question is how the attacker got to my VNC port! ... the internet through the router. ... (comp.security.firewalls) Re: Apple ahead of schedule ... They would find that preferable to making a port? ... platform or porting their product. ... efforts in the future to Windows, ... (comp.sys.mac.advocacy) Re: using natd to load balance port 80 to multiple servers ... I finally got around to testing out FreeBSD 5.3 + pf to replace my FreeBSD ... + natd to forward port 80 to multiple backend servers. ... (freebsd-net) natd - IRC DCC ... Without patching natd, I haven't found a way to traffic shape IRC DCCs ... Note that IP address and port number are completely missing. ... (comp.unix.bsd.freebsd.misc) Re: Xilinx USB cable ... > into FS host port or hub. ... I can't plug my american hair dryer into the european socket? ... the warning - I am running at HS. ... (comp.arch.fpga)