Date: 06-12-05 17:11
Remember that natd is bound to your external interface (rl0), and never sees your LAN traffic hitting the internal interface (dc0).
00150 divert 8668 ip from any to any via rl0
sticks only rl0 traffic into the natd divert socket.
Now you might think you would be able to divert incoming port 80 and 22 dc0 traffic destined for the bound external address to the natd divert socket, but that may break your routing. I've never tried this and I am not in a position that I can try it on my home network right now, but these rules:
divert 8668 tcp from any to publicaddress dst-port 22 in via dc0
divert 8668 udp from any to publicaddress dst-port 22 in via dc0
divert 8668 tcp from any to publicaddress dst-port 80 in via dc0
will force the router to push incoming port 80 and 22 traffic from the internal interface to first go through the natd daemon, which should then perform translation. But only this half of the connection works, though, because the webserver will respond to the router on a port that will not divert back to natd. Basically the setup you are attempting to acheive is too complicated to be easily done without fragmenting the network.
I would suggest that you create an alias for dc0 that exists on a separate logical network, say 10.10.1.1/24. This network is your "DMZ" that you can stick all of your servers in that the public system should use for forwarding services.
ifconfig dc0 alias inet 10.10.1.1/24 10.10.1.0
Re-address the webserver to bind to the address 10.10.1.80/24 and use 10.10.1.1 as its gateway, and change your current natd configuration to redirect ports 80 and 22 to this new address.
Next, create another configuration file for natd with the following options:
redirect_port udp 10.10.1.80:80 80
redirect_port tcp 10.10.1.80:80 80
redirect_port tcp 10.10.1.80:22 22
This will be your internal network's natd configuration. Run a seperate instance of natd sourcing this configuration ( -f option ). Add these rules to ipfw:
divert 8669 tcp from any to publicaddress in via dc0 dst-port 80
divert 8669 tcp from any to publicaddress in via dc0 dst-port 22
divert 8669 udp from any to publicaddress in via dc0 dst-port 22
This may require tweaking, but it should force your lan traffic to port 80 and 22 on the router to be translated seamlessly to the web server and replies translated back to the correct addresses.
Now I'm a seasoned net vet, but I may have made mistakes in my theory here. It's highly possible I've made some oversights.
Post Edited (06-12-05 10:59)