In message <3B5B21E5.75FB8503miltonstreet.com>, Sam Carleton writes:
> Ok folks I simply do NOT understand this. The firewall seems to be
> working fine. Standard NAT (allowing my workstations out) seems to be
> working fine. But I am completely unable to get NAT to redirect
> incoming requests. This is what I am using:

[ipf.conf edited out]
> ---------ipnat.conf---------
> map iy0 192.168.0.1/24 -> 0/32 proxy port ftp ftp/tcp
> map iy0 192.168.0.1/24 -> 0/32 portmap tcp/udp 40000:60000
> map iy0 192.168.0.1/24 -> 0/32
>
> rdr iy0 0.0.0.0/32 port 22 -> 192.168.0.5 port 22
> rdr iy0 0.0.0.0/32 port 25 -> 192.168.0.5 port 25
> rdr iy0 0.0.0.0/32 port 80 -> 192.168.0.5 port 80
> rdr iy0 0.0.0.0/32 port 443 -> 192.168.0.5 port 443
> ---------ipnat.conf---------
>
> If my understanding is correct, the NAT rules get applied before the
> packet goes through the IP FIlter. These means that the rules I have
> allowing things into 192.168.0.1 will never be used, I simply had them
> there to make sure:)

Your internal interface is tun0 and external interface is iy0. Do I
understand this correctly? If so, your map and rdr statements should
reference tun0 not iy0.

>
> Another question: It is my understanding that when I get a new IP
> address for my ISP, I need to have NAT update itself. What is the best
> way to do this considering the machine never disconnect?

When the status of an interface changes you'll need resynchronise IPF
(ipf -y) or reload your rules (ipf -Fa -f ipf.conf). Both are equally
effective, though ipf -y is the proper way to do it.

Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/Alpha Team Internet: Cy.Schubertosg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]