ipfw port forwarding

[Gordon Davisson]

On Dec 9, 2007, at 6:49 PM, John Musbach wrote:

> I have internet sharing enabled on one mac which is in a dmz and am
> trying to get another mac which is connected to the dmz'd mac via
> internet sharing to have traffic received by the dmz'd mac for a
> certain port to be forwarded to the connected mac...however the
> terminal command "sudo ipfw add 02110 forward 10.0.2.7 in" doesn't
> work (returns from missing but if I add "from any" after the ip I get
> a invalid syntax error regarding that statement so I don't understand
> what it wants), what am I doing wrong? Thanks!

You need to the port forward with natd (the address translation  
daemon), not ipfw.  If you do what you did, ipfw *will* forward the  
packet, but will not translate its destination address.  As the ipfw  
man page says:

	The fwd action does not change the contents of the packet at all.
	In particular, the destination address remains unmodified, so
	packets forwarded to another system will usually be rejected by
	that system unless there is a matching rule on that system to
	capture them.

This is not at all what you want; ipfw's only part in this is to have  
a divert rule to feed packets through natd for translation, which is  
where all the intelligent stuff takes place. To do port forwarding,  
you need to add something like:
	-redirect_port 10.0.2.7:80 80
to natd's usual stable of options and parameters (with "80" replaced  
with whatever port you actually want to forward).

So, how do you do that?  I'm not sure it can be done in any reasonably  
clean way with Internet Sharing -- it uses totally caned  
configurations, no customization (that I've found anyway) allowed.  I  
actually had to do something like this a few years ago (along with the  
additional fun of needing to change the private IP address range), and  
wound up giving up on Internet Sharing and just using the underlying  
components (ipfw, natd, bootpd to supply DHCP service, and maybe named  
for DNS forwarding) "by hand".  Naturally, I don't have any of the  
resulting scripts handy, but there are some similar bits of code at <http://www.macosxhints.com/article.php?story=20050331194834746 
 > (and in the comments).

But if all you need to do is add an argument to natd... you might be  
able to do something quicker and dirtier (MUCH dirtier).  Try  
renaming /usr/sbin/natd to natd.orig, and replace it with a shell  
script containing:

#!/bin/sh
exec /usr/sbin/natd.orig "$@" -redirect_port 10.0.2.7:80 80

...and then wash your hands thoroughly. Remember to make the script  
executable (chmod +x /usr/sbin/natd), and if anything goes wrong, the  
secretary will disavow any knowledge of your actions.

-- Gordon Davisson