# cannot redirect port



## urello (Oct 2, 2013)

I want to enable SSH access for one PC in the LAN from the internet.

ipfw.conf

```
OutIf=vlan10
ipfw -q flush
ipfw add pass all from any to any via lo0
ipfw add deny all from any to 127.0.0.0/8
ipfw add deny ip from 127.0.0.0/8 to any

ipfw add deny ip from any to 0.0.0.0/8 in via ${OutIf}
ipfw add deny all from any to 10.0.0.0/8 in via ${OutIf}
ipfw add deny all from any to 172.16.0.0/12 in via ${OutIf}
ipfw add deny all from any to 192.168.0.0/16 in via ${OutIf}
ipfw add deny all from any to 169.254.0.0/16 in via ${OutIf}
ipfw add deny all from any to 224.0.0.0/4 in via ${OutIf}
ipfw add deny all from any to 240.0.0.0/4 in via ${OutIf}

ipfw nat 100 config if ${OutIf} log reset redirect_port tcp 192.168.1.223:23456 22
ipfw add nat 100 ip from 192.168.1.0/24 to any via ${OutIf}
ipfw add nat 100 ip from any to me via ${OutIf}
```

`ifconfig`

```
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=4219b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MAGIC,VLAN_HWTSO>
        ether 00:1b:21:c1:e2:8d
        inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
age0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=c319b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,TSO4,WOL_MCAST,WOL_MAGIC,VLAN_HWTSO,LINKSTATE>
        ether 00:1f:c6:a3:35:f4
        media: Ethernet autoselect (none)
        status: no carrier
ipfw0: flags=8801<UP,SIMPLEX,MULTICAST> metric 0 mtu 65536
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 127.0.0.1 netmask 0xff000000
vlan10: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=103<RXCSUM,TXCSUM,TSO4>
        ether 00:1b:21:c1:e2:8d
        inet 95.67.xx.xx netmask 0xfffffffc broadcast 95.67.118.123
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
        vlan: 10 parent interface: em0
```
Right now it is not working. Could anyone advise?


----------



## SirDice (Oct 2, 2013)

I'm not sure if that's the case with IPFW but with PF NAT happens before rules. So if you redirect traffic to a different host you have to use the 'translated' IP address as the destination, not the original destination IP address.


----------



## urello (Oct 2, 2013)

What does it mean, "'translated' IP address"?


----------



## SirDice (Oct 2, 2013)

When you redirect a port you are actually translating the (destination) IP address. The firewall receives a packet with destination address A.B.C.D and the redirection translates that to W.X.Y.Z and sends it along. So your rules must allow traffic to W.X.Y.Z.


----------



## urello (Oct 2, 2013)

> So your rules must allow traffic to W.X.Y.Z.


My ipfw was compiled with the default_to_accept option, so this traffic should be allowed by default, AFAIK.


----------



## SirDice (Oct 2, 2013)

Yes, but you have a couple of deny rules that prevent traffic to 192.168.0.0/16, 192.168.1.123/24 is part of that range.


----------



## urello (Oct 3, 2013)

I removed this rule, but it didn't help.

Could anyone advise a way to debug this?


----------



## SirDice (Oct 3, 2013)

I've never used ipfw much so I can't comment on any specifics. But the ultimate tool to debug this is tcpdump(1). Things are so much clearer when you can see the actual packets.

Start by verifying you are actually receiving a request:
`# tcpdump -ni vlan10 port 22`

Then see if it's being translated properly by looking at what's being sent out:
`# tcpdump -ni em0 host 192.168.1.123 and port 22`

You can adjust the filter so it only captures the traffic you're interested in.


----------



## Abriel (Oct 3, 2013)

You can always try net/portfwd
`pico /usr/local/etc/portfwd.cfg`

```
user  nobody
group nobody
tcp {
22 { => 192.168.1.223:23456 }
}
```


----------

