Subject: IPNat, IPF, and webservers...
To: 'email@example.com' <firstname.lastname@example.org>
From: David Woyciesjes <DAW@yalepress3.unipress.yale.edu>
Date: 10/20/2000 10:17:03
********Please keep my name in the "Send To" field, because I need to be
approved to join the 'tech-net' apparently. Maybe because the University
uses e-mail address aliases.**********
Happy Friday to everyone! I'm sure this is an easy question.
I've setup the infamous NetBSD/i386 Firewall from dubbele.com, and
modified it to use RP-PPPoE to connect over the ADSL line. Now, all I want
is to allow http (port 80) traffic thru to machine 10.10.10.10. I've RTFM,
read thru the mail archives, and thought I had the answer (shown below). So
I get that all in and restarted the firewall, ( BTW, aren't there command to
renew the ipf and ipnat rules w/o rebooting?) and I can browse to
10.10.10.10 fine (from 10.10.10.2), but when I try to browse to 64.252.39.??
(from 10.10.10.2), I get the "No response, server could be down" message.
P.S. Does anyone use the redirection service on CJB.net??
#!/sbin/ipnat -f -
# ex0 - (old ext.) connection to ISP, address 10.10.10.20/32
# ppp0- (new ext.) connection to SNET, DHCP address - 0/32
# ep0 - (internal) network interface, address 192.168.1.250/32
rdr ppp0 0/32 port 80 -> 10.10.10.10 port 80 tcp
map ppp0 10.10.10.0/24 -> 0/32 portmap tcp/udp 40000:60000
map ppp0 10.10.10.0/24 -> 0/32
#To make ftp work, using the internal ftp proxy, use:
map ppp0 10.10.10.0/24 -> 0/32 proxy port ftp ftp/tcp
#!/sbin/ipf -f -
# Prevent IP spoofing.
pass in quick on ppp0 proto tcp from any to 10.10.10.10/32 port = 80
block in quick all with short
--- David A Woyciesjes
--- C & IS Support Specialist
--- Yale University Press
--- (203) 432-0953
--- ICQ # - 905818