Re: ipnat filtering exception

Darren Reed wrote:
> In some mail from Billy Newsom, sie said:
>
>>I am using the ipfilter built into FreeBSD 5.4 v3.4.35 (336). I just
>>came across a need to use a new redirect, but I don't see anything in
>>the Howto discussing it, which usually fixes me up.
>>
>>I have this new rule:
>>rdr fxp0 0.0.0.0/0 port 25 -> 192.168.0.1 port 2525
>>
>>This will allow all port 25 traffic starting from LAN to WAN to go to
>>port 2525 on a machine of my choice.
>>
>>Exception 1.
>>Fine, but I need to make a few exceptions. For example, say I have a PC
>>at 192.168.5.5 that needs to be excepted. How do I keep this PC from
>>being redirected?
>
>
> rdr fxp0 from ! 192.168.5.5/32 to 0.0.0.0/0 port 25 -> 192.168.0.1 port 2525 tcp
>
> Although this doesn't work well if there's a number of individual addresses
> that you want to make this exception for,
>
>

Okay, great. But two questions. #1, why won't this work on FreeBSD
5.4? Any ideas?

Before [works]:
rdr fxp0 0/0 port 25 -> 192.168.1.2 port 2525 tcp

After [doesn't work]:
rdr fxp0 from 192.168.0.52/32 to 0/0 port 25 -> 192.168.1.2 port 2525 tcp

Here's the commandline output when I tried this:
#rc.d/ipnat reload
1 entries flushed from NAT table
3 entries flushed from NAT list
11: unknown range operator (->)
11: syntax error in "rdr"
/etc/ipnat.rules: parse error (-1), quitting
Exit 1

#2, How many is too many when you say "a number of individual
addresses"? Can I do this for at most one host, or are you just saying
it will slow stuff down if I have a lot of hosts using the FROM/TO portion?

>>Exception 2.
>>Also, what if we contact a special server, which needs no redirection?
>>Say, server 192.168.0.1 port 25 traffic is legitimate, and everyone on
>>the LAN should receive *no* redirection for that special server?
>
>
> Easiest way to achieve this is to redirect it to that adddress.
> e.g.:
>
> rdr fxp0 192.168.0.1/32 port 25 -> 0/0 port 25 tcp
>
> Darren
>
I thought about that, but I didn't know for sure. Thanks.