road runner and external connections
Gerald Combs
gerald at ethereal.com
Sat Apr 27 03:03:45 CDT 2002
On Fri, 26 Apr 2002, Marvin Bellamy wrote:
> Has anyone had any difficulty setting their firewalls with redirection
> to intranet boxes to allow connections from the outside world? I'm
> trying to get ipf and ipnat configured, but nothing seems to be working.
> I've used tcpdump and I can see the attempts to connection to my web
> server, and I can connect to my web server from my firewall, but
> redirection doesn't seem to be working. Note that I've had my network
> configured to only allow outgoing connections for at least a year now.
> It's the inbound redirections that aren't working. Also, I have a
> dynamic IP, so I used a "best guess" of 0/32 to do this. A sample
> ipnat.rules file configured for a dynamic external IP would help a lot.
My ipnat.rules has
rdr rl1 0.0.0.0/0 port 2022 -> 192.168.0.2 port 22
which allows me to ssh in to an inside box via port 2022 on the outside.
The "rl1 0.0.0.0/0" bit tells it to use whatever address rl1 (my outside
interface) currently has. The key is the netmask length. "/0" means
"don't match against any part of the address", and "/32" means "match all
32 bits of the address." Specifying 0/32 as the outside address would
tell it to match packets with a destination address of "0.0.0.0", which is
probably not what you want.
Note that ipf needs to be configured to allow inbound connections as well.
More information about the Kclug
mailing list