Re: IPfilter on FreeBSD 5.X not working properly

OK most people seem to believe its me and not FreeBSD 5.1 release, I have now
fixed my problem but it seems kind of wierd to me.
The reason why I thought its not me is because I had the exact same setup on
FreeBSD 4.x as I do on FreeBSD 5, except for the fact I changed over from
cable modem to PPPoE adsl while also changing FreeBSD 5, also note I only use
port forwarding now and then but had some rather established rule setups on
my old FreeBSD 4 machine.

But after having a good look around I found what seems to be the problem
It seems I need 1 rule in my /etc/ipf.rules file for 1 port forward.
for example to redirect connections to a internal web server on the nat
gateway on external port 113 to internal machine port 80
rdr tun0 0.0.0.0/0 port 113 -> 192.168.1.27 port 80 tcp
I needed the opposite firewall rule that I thought I would need
I thought I would need to enable connections in on port 113 on the external
interface, but this doesn't help at all
pass in quick on tun0 proto tcp from any to any port = 113 flags S keep state

But with the rule below is what I actully needed and ONLY what I needed to
make connections work to the internal web server from the outside world
pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state

My currently working complete ruleset
################################################## ###############
# Outside Interface
################################################## ###############
#pass in quick on tun0 proto tcp from any to any port = 113 flags S keep state
pass in quick on tun0 proto tcp from any to any port = 80 flags S keep state
pass out quick on tun0 proto tcp from any to any flags S keep frags keep state
pass out quick on tun0 proto udp from any to any keep state keep frags
pass out quick on tun0 proto icmp from any to any keep state
block out log quick on tun0 all
block in log quick on tun0 all
################################################## ###############
# Inside Interface My computers
################################################## ###############
pass in quick on rl1 all
pass out quick on rl1 all
#
################################################## ###############
# Loopback Interface
################################################## ###############
pass in quick on lo0 all
pass out quick on lo0 all

# My current /etc/ipnat.rules

rdr tun0 0.0.0.0/0 port 113 -> 192.168.1.27 port 80 tcp
#rdr tun0 0.0.0.0/0 port 113 -> 192.168.1.27 port 113 tcp

map tun0 192.168.1.1/24 -> 0/32 proxy port ftp ftp/tcp
map tun0 192.168.1.1/24 -> 0/32 portmap tcp/udp auto
map tun0 192.168.1.1/24 -> 0/32



On Mon, 7 Jul 2003 12:49 pm, Michael L.V. wrote:
> I was wondering if IPFilter on FreeBSD 5.X release will be fixed from the
> following problems.
> I am pretty sure its not just me but something wrong with IPfilter on
> FreeBSD 5.x, For starters the ipfilter ipl.ko module cant be loaded. but
> with the options listed below compiled into the FreeBSD 5 generic kernel, I
> still don't have any ftp proxy for active ftp transfer mode, nor have I
> been able to do any portforwarding.
>
> options IPFILTER
> options IPFILTER_LOG
> options PFIL_HOOKSp