ipfw port forwarding

Dan Shoop shoop at iwiring.net
Tue Dec 11 09:24:03 PST 2007 

On Dec 10, 2007, at 8:53 PM, John Musbach wrote:

> On Dec 10, 2007 11:50 AM, Dan Shoop <shoop at iwiring.net> wrote:
>> What are your NIC's in question?
>
> The mac which needs to share the internet connection is connected to
> the internet via ethernet (en0), I'm trying to get it to share the
> internet connection over and forward packets through the airport
> networking device (en1)
>
>> Have a bit of a diagram to share w
>> subnets?
>
> DSL Modem
> |
> |
> |
> Router---> Mac server in dmz--share dmz'd internet connection via
> airport---------v(*)
> ----> AirPort Express --> AirPort Extreme --> other computers in house
> connect here wirelessly for non dmz internet access, Other
> Mac-----------------------------------^(*)

Thanks, this is quite a bit clearer.

So this "router" is really a NAT box?

Why not replace it with a real router than one of these so-called  
routers you get free with your breakfast cereal?

>> What's sysctl saying?
>
> kern.ostype = Darwin
> kern.osrelease = 9.1.0
> net.local.stream.pcblist: Format:S,xunpcb Length:56136
> Dump:0x180000007600000024b5020000000000...
> net.local.stream.recvspace: 8192
> net.local.stream.sendspace: 8192
> net.local.dgram.pcblist: Format:S,xunpcb Length:24672
> Dump:0x180000007600000024b5020000000000...
> net.local.dgram.recvspace: 4096
> net.local.dgram.maxdgram: 2048
> net.local.inflight: 0
> net.inet.ip.portrange.hilast: 65535
> net.inet.ip.portrange.hifirst: 49152
> net.inet.ip.portrange.last: 65535
> net.inet.ip.portrange.first: 49152
> net.inet.ip.portrange.lowlast: 600
> net.inet.ip.portrange.lowfirst: 1023
> net.inet.ip.forwarding: 0
> net.inet.ip.redirect: 1
> net.inet.ip.ttl: 64
> net.inet.ip.rtexpire: 10
> net.inet.ip.rtminexpire: 10
> net.inet.ip.rtmaxcache: 128
> net.inet.ip.sourceroute: 0
> net.inet.ip.intr_queue_maxlen: 50
> net.inet.ip.intr_queue_drops: 0
> net.inet.ip.stats: Format:S,ipstat Length:116
> Dump:0x2fa79600000000000000000000000000...
> net.inet.ip.accept_sourceroute: 0
> net.inet.ip.fastforwarding: 0
> net.inet.ip.keepfaith: 0
> net.inet.ip.gifttl: 30
> net.inet.ip.subnets_are_local: 0
> net.inet.ip.use_route_genid: 1
> net.inet.ip.check_route_selfref: 1
> net.inet.ip.dummynet.debug: 0
> net.inet.ip.dummynet.red_max_pkt_size: 1500
> net.inet.ip.dummynet.red_avg_pkt_size: 512
> net.inet.ip.dummynet.red_lookup_depth: 256
> net.inet.ip.dummynet.max_chain_len: 16
> net.inet.ip.dummynet.expire: 1
> net.inet.ip.dummynet.search_steps: 0
> net.inet.ip.dummynet.searches: 0
> net.inet.ip.dummynet.extract_heap: 0
> net.inet.ip.dummynet.ready_heap: 0
> net.inet.ip.dummynet.curr_time: 0
> net.inet.ip.dummynet.hash_size: 64
> net.inet.ip.fw.dyn_keepalive: 1
> net.inet.ip.fw.dyn_short_lifetime: 5
> net.inet.ip.fw.dyn_udp_lifetime: 10
> net.inet.ip.fw.dyn_rst_lifetime: 1
> net.inet.ip.fw.dyn_fin_lifetime: 1
> net.inet.ip.fw.dyn_syn_lifetime: 20
> net.inet.ip.fw.dyn_ack_lifetime: 300
> net.inet.ip.fw.static_count: 2
> net.inet.ip.fw.dyn_max: 4096
> net.inet.ip.fw.dyn_count: 0
> net.inet.ip.fw.curr_dyn_buckets: 256
> net.inet.ip.fw.dyn_buckets: 256
> net.inet.ip.fw.verbose_limit: 0
> net.inet.ip.fw.verbose: 2
> net.inet.ip.fw.debug: 0
> net.inet.ip.fw.one_pass: 0
> net.inet.ip.fw.autoinc_step: 100
> net.inet.ip.fw.enable: 1
> net.inet.ip.random_id: 1
> net.inet.ip.linklocal.in.allowbadttl: 1
> net.inet.ip.linklocal.stat: Format:S,ip_linklocal_stat Length:16
> Dump:0xae010000000000007a4a0000654a0000...
> net.inet.ip.check_interface: 0
> net.inet.ip.maxfrags: 2048
> net.inet.ip.maxfragsperpacket: 128
> net.inet.ip.maxfragpackets: 1024
> net.inet.ip.maxchainsent: 0
> net.inet.icmp.maskrepl: 0
> net.inet.icmp.stats: Format:S,icmpstat Length:192
> Dump:0x5d000000000000000000000000000000...
> net.inet.icmp.icmplim: 250
> net.inet.icmp.timestamp: 0
> net.inet.icmp.bmcastecho: 1
> net.inet.icmp.log_redirect: 0
> net.inet.icmp.drop_redirect: 0
> net.inet.igmp.stats: Format:S,igmpstat Length:36
> Dump:0x6f190000000000000000000000000000...
> net.inet.tcp.rfc1323: 1
> net.inet.tcp.rfc1644: 0
> net.inet.tcp.mssdflt: 512
> net.inet.tcp.stats: Format:S,tcpstat Length:352
> Dump:0x9acb01001b0000003eca010086050000...
> net.inet.tcp.keepidle: 7200000
> net.inet.tcp.keepintvl: 75000
> net.inet.tcp.sendspace: 65536
> net.inet.tcp.recvspace: 65536
> net.inet.tcp.keepinit: 75000
> net.inet.tcp.pcblist: Format:S,xtcpcb Length:3716
> Dump:0x1800000007000000ede98a0000000000...
> net.inet.tcp.v6mssdflt: 1024
> net.inet.tcp.rexmt_thresh: 2
> net.inet.tcp.rfc3465: 1
> net.inet.tcp.maxseg_unacked: 8
> net.inet.tcp.slowlink_wsize: 8192
> net.inet.tcp.reass.overflows: 0
> net.inet.tcp.reass.cursegments: 0
> net.inet.tcp.reass.maxsegments: 2048
> net.inet.tcp.drop_synfin: 1
> net.inet.tcp.tcp_lq_overflow: 1
> net.inet.tcp.delayed_ack: 3
> net.inet.tcp.blackhole: 2
> net.inet.tcp.log_in_vain: 3
> net.inet.tcp.socket_unlocked_on_output: 1
> net.inet.tcp.packetchain: 50
> net.inet.tcp.ecn_negotiate_in: 0
> net.inet.tcp.ecn_initiate_out: 0
> net.inet.tcp.newreno: 0
> net.inet.tcp.local_slowstart_flightsize: 8
> net.inet.tcp.slowstart_flightsize: 1
> net.inet.tcp.path_mtu_discovery: 1
> net.inet.tcp.sack_globalholes: 0
> net.inet.tcp.sack_globalmaxholes: 65536
> net.inet.tcp.sack_maxholes: 128
> net.inet.tcp.sack: 1
> net.inet.tcp.rtt_min: 1
> net.inet.tcp.background_io_enabled: 1
> net.inet.tcp.isn_reseed_interval: 0
> net.inet.tcp.strict_rfc1948: 0
> net.inet.tcp.icmp_may_rst: 1
> net.inet.tcp.pcbcount: 7
> net.inet.tcp.do_tcpdrain: 0
> net.inet.tcp.tcbhashsize: 4096
> net.inet.tcp.minmssoverload: 0
> net.inet.tcp.minmss: 216
> net.inet.tcp.always_keepalive: 0
> net.inet.tcp.msl: 15000
> net.inet.tcp.background_io_trigger: 5
> net.inet.tcp.sockthreshold: 64
> net.inet.tcp.out_sw_cksum_bytes: 0
> net.inet.tcp.out_sw_cksum: 0
> net.inet.tcp.in_sw_cksum_bytes: 5401453
> net.inet.tcp.in_sw_cksum: 132709
> net.inet.tcp.win_scale_factor: 3
> net.inet.udp.checksum: 1
> net.inet.udp.stats: Format:S,udpstat Length:44
> Dump:0x342e0300000000000000000000000000...
> net.inet.udp.maxdgram: 9216
> net.inet.udp.recvspace: 42080
> net.inet.udp.pcblist: Format:S,xinpcb Length:5488
> Dump:0x1800000011000000b2bf3a0000000000...
> net.inet.udp.pcbcount: 17
> net.inet.udp.blackhole: 1
> net.inet.udp.log_in_vain: 3
> net.inet.udp.out_sw_cksum_bytes: 37556
> net.inet.udp.out_sw_cksum: 211
> net.inet.udp.in_sw_cksum_bytes: 34128
> net.inet.udp.in_sw_cksum: 183
> net.inet.ipsec.stats: Format:S,ipsecstat Length:12432
> Dump:0x00000000000000000000000000000000...
> net.inet.ipsec.def_policy: 1
> net.inet.ipsec.esp_trans_deflev: 1
> net.inet.ipsec.esp_net_deflev: 1
> net.inet.ipsec.ah_trans_deflev: 1
> net.inet.ipsec.ah_net_deflev: 1
> net.inet.ipsec.ah_cleartos: 1
> net.inet.ipsec.ah_offsetmask: 0
> net.inet.ipsec.dfbit: 0
> net.inet.ipsec.ecn: 0
> net.inet.ipsec.debug: 0
> net.inet.ipsec.esp_randpad: -1
> net.inet.ipsec.esp_port: 0
> net.inet.ipsec.bypass: 1
> net.inet.raw.pcblist: Format:S,xinpcb Length:1008
> Dump:0x18000000030000008900000000000000...
> net.inet.raw.recvspace: 8192
> net.inet.raw.maxdgram: 8192
> net.appletalk.ddpstats: Format:S,at_ddp_stats Length:52
> Dump:0x00000000000000000000000000000000...
> net.appletalk.routermix: 2000
> net.appletalk.debug: Format:S,dbgBits Length:8 Dump:0x0000000000000000
> net.link.generic.system.ifcount: 8
> net.link.generic.system.dlil_input_sanity_check: 0
> net.link.generic.system.multi_threaded_input: 1
> net.link.ether.inet.send_conflicting_probes: 1
> net.link.ether.inet.keep_announcements: 1
> net.link.ether.inet.log_arp_warnings: 0
> net.link.ether.inet.sendllconflict: 0
> net.link.ether.inet.proxyall: 0
> net.link.ether.inet.useloopback: 1
> net.link.ether.inet.maxtries: 5
> net.link.ether.inet.apple_hwcksum_rx: 1
> net.link.ether.inet.apple_hwcksum_tx: 1
> net.link.ether.inet.host_down_time: 20
> net.link.ether.inet.max_age: 1200
> net.link.ether.inet.prune_intvl: 300
> net.key.debug: 0
> net.key.spi_trycnt: 1000
> net.key.spi_minval: 256
> net.key.spi_maxval: 268435455
> net.key.int_random: 60
> net.key.larval_lifetime: 30
> net.key.blockacq_count: 10
> net.key.blockacq_lifetime: 20
> net.key.esp_keymin: 256
> net.key.esp_auth: 0
> net.key.ah_keymin: 128
> net.key.prefered_oldsa: 0
> net.key.natt_keepalive_interval: 20
> net.key.pfkeystat: Format:S,pfkeystat Length:4240
> Dump:0x00000000000000000000000000000000...
> net.inet6.ip6.forwarding: 0
> net.inet6.ip6.redirect: 1
> net.inet6.ip6.hlim: 64
> net.inet6.ip6.stats: Format:S,ip6stat Length:3200
> Dump:0x34130000000000000000000000000000...
> net.inet6.ip6.maxfragpackets: 1024
> net.inet6.ip6.accept_rtadv: 0
> net.inet6.ip6.keepfaith: 0
> net.inet6.ip6.log_interval: 5
> net.inet6.ip6.hdrnestlimit: 50
> net.inet6.ip6.dad_count: 1
> net.inet6.ip6.auto_flowlabel: 1
> net.inet6.ip6.defmcasthlim: 1
> net.inet6.ip6.gifhlim: 0
> net.inet6.ip6.kame_version: 20010528/apple-darwin
> net.inet6.ip6.use_deprecated: 1
> net.inet6.ip6.rr_prune: 5
> net.inet6.ip6.v6only: 0
> net.inet6.ip6.rtexpire: 3600
> net.inet6.ip6.rtminexpire: 10
> net.inet6.ip6.rtmaxcache: 128
> net.inet6.ip6.use_tempaddr: 0
> net.inet6.ip6.temppltime: 86400
> net.inet6.ip6.tempvltime: 604800
> net.inet6.ip6.auto_linklocal: 1
> net.inet6.ip6.rip6stats: Format:S,rip6stat Length:56
> Dump:0x00000000000000000000000000000000...
> net.inet6.ip6.maxfrags: 8192
> net.inet6.ip6.fw.verbose_limit: 0
> net.inet6.ip6.fw.verbose: 0
> net.inet6.ip6.fw.debug: 0
> net.inet6.ip6.fw.enable: 1
> net.inet6.ip6.mrt6stat: Format:S,mrt6stat Length:104
> Dump:0x00000000000000000000000000000000...
> net.inet6.ipsec6.stats: Format:S,ipsecstat Length:12432
> Dump:0x00000000000000000000000000000000...
> net.inet6.ipsec6.def_policy: 1
> net.inet6.ipsec6.esp_trans_deflev: 1
> net.inet6.ipsec6.esp_net_deflev: 1
> net.inet6.ipsec6.ah_trans_deflev: 1
> net.inet6.ipsec6.ah_net_deflev: 1
> net.inet6.ipsec6.ecn: 0
> net.inet6.ipsec6.debug: 0
> net.inet6.ipsec6.esp_randpad: -1
> net.inet6.icmp6.stats: Format:S,icmp6stat Length:4328
> Dump:0x00000000000000000000000000000000...
> net.inet6.icmp6.rediraccept: 1
> net.inet6.icmp6.redirtimeout: 600
> net.inet6.icmp6.nd6_prune: 1
> net.inet6.icmp6.nd6_delay: 5
> net.inet6.icmp6.nd6_umaxtries: 3
> net.inet6.icmp6.nd6_mmaxtries: 3
> net.inet6.icmp6.nd6_useloopback: 1
> net.inet6.icmp6.nodeinfo: 3
> net.inet6.icmp6.errppslimit: 100
> net.inet6.icmp6.nd6_maxnudhint: 0
> net.inet6.icmp6.nd6_debug: 0
> net.inet6.icmp6.nd6_prlist: Format:S,in6_defrouter Length:280
> Dump:0x1c1e000000000000fe80000000000000...
> net.pstimeout: 20 20
> net.athaggrqmin: 1 1
> net.athaggrfmax: 28 28
> net.athbgscan: 1 1
> net.athCCAThreshold: 91 91
> net.athpowermode: 0 1
> net.athvendorie: 1 1
> net.athdupie: 1 1
> net.athaddbaignore: 0 0
> net.athppmupdate: 1 1
> net.athforceBias: 2 2
> net.athbadrxdesc: 0 0
> net.athbadrxbuf: 0 0
> net.athforcebadrx: 0 0
Note that forwarding is not on.

>> What's the routing table like (on the
>> various machines)?
> mac to receive shared connection....
> route -v get google.com
>

That wasn't the routing tables.

>> It also sounds like you're not using a real router but a NAT box,
>> which may make this very difficult to impossible depending on that.
>> What is it?
>
> It's a linksys home router


Buy a real router. Honestly. The topography you're trying to establish  
here is horrid. There's so many points of failure that even if you do  
get this working it won't be for long. On top of that it's a lose  
since you're NAT'ing NAT which is abominable. Not only this but these  
things they've sold you as a router, really is a NAT box, and their  
"DMZ" really isn't, it's still NAT'ed and just get's exposed to  
packets not already being exposed through stateful connections already  
established.

If this was a real router and you had a real one-to-one NAT to do this  
you need to be running NAT as well as ipfw on the "DMZ Mac", but if  
you had a real router you'd either just create a NAT on the DMZ or  
more properly multiple one-to-one NATs (which is still almost a a  
false DMZ) or more properly you'd expose the IP addresses directly for  
a better designed and true DMZ segment.

-dhan

------------------------------------------------------------------------
Dan Shoop
Computer Scientist
iWiring / U.S. Technical Services

shoop at iwiring.net
AOL IM .................... iWiring
Nextel .................... 1-714-363-1174
Operations TOC (24/7) ..... 1-866-901-USTS
USTS Offices .............. 1-714-374-6300

For immediate response for urgent matters please speak to the Duty  
Officer
at the USTS Tactical Operations Center (above) who can reach me by  
radio.

More information about the MacOSX-admin mailing list