# Forwarding a port on IPFW Gate system



## danaeckel (Mar 8, 2013)

Hi,
  I hate to be a pain about this, but firewalls and ports are a weak point of mine. I am going to be traveling next week, and I would like to access a FBSD system on the other side of another FBSD firewall through VNC. I am going to directly VNC in because it is quick and dirty even though it it frowned upon to skip SSH, but I have no valuables so I am ok with that.

On my gate I have two network cards which I should, we will call et0 for the internet side, and et1 for my network.

I would want to think I can set my rule to be 


```
ipfw add 100 fwd et0,5800 dst-port 5800 via et1
```

So, how far off am I?

Dana


----------



## Anonymous (Mar 9, 2013)

What you want to achieve can be done with NAT using a redirection rule.


```
...
ipfw nat 1 config if et0 reset redirect_port tcp 192.168.0.11:5900 5900
...
ipfw add 100 nat 1 ip from any to any via et0 in
ipfw add 101 check-state
ipfw add 200 skipto 999 tcp from any to any 5900 via et0 in setup keep-state
...
ipfw add 999 nat 1 ip from any to any via et0 out
...
```

192.168.0.11 would be the IP address of the machine in the LAN. This is an example for in-kernel NAT. For this to work, you EITHER need to compile a custom kernel with the following options...


```
...
options         IPFIREWALL
options         IPFIREWALL_NAT
options         LIBALIAS
options         IPFIREWALL_DEFAULT_TO_ACCEPT   # optional, won't let you lock out
options         IPFIREWALL_FORWARD             # optional if you want to experiment with forward rules
...
```

... OR, you load the kernel modules from /boot/loader.conf:


```
ipfw_nat_load="YES"
libalias_load="YES"
```

However, I compiled ipfw+NAT into my kernel, and I cannot tell whether loading the modules really works.

Although, I have to admit, that I never exactly understood the purpose of packet forwarding by the firewall, I am 100 % sure that one simple forward rule won't work because the new destination won't know how to call back.


----------

