Simon Žekar – unix, communications, stupidities

FreeBSD massive port forwarding

Portfwd was the choice of software when I ever needed to forward a port from the server to another server – multiple hops away (not NAT port mapping).

It uses configuration like this (193.2.1.66 is the local ip, 193.2.1.80 is destination server IP):

bind-address 193.2.1.66 tcp { 55443 { => 193.2.1.80:443 } } tcp { 55022 { => 193.2.1.80:22 } }

But it fails doing its job right when you use this on a really busy port/service (500 or more simultaneous established TCP connections).

pf does the forwarding well even over 1000 TCP connections. Example:

rdr on em0 proto tcp from any to 193.2.1.66 port 55443 -> 193.2.1.80 port 443 rdr on em0 proto tcp from any to 193.2.1.66 port 55022 -> 193.2.1.80 port 22 nat on em0 from any to 193.2.1.80 -> 193.2.1.66

– the em0 is the name of the outside interface. Without the nat rule, destination server would see a packet with source ip of the client so it would send a packet back directly to the client which causes asymmetric routing and very possible problems. The nat rule changes the source IP to the port forwarders one.

Happy forwarding,
S.

RSS Feed. This blog is proudly powered by Wordpress and uses Modern Clix, a theme by Rodrigo Galindez.

Simon Žekar – unix, communications, stupidities

"Unix is simple, but it takes a genious to understand the simplicity" --Dennis Ritchie

Archived entries for pf

FreeBSD massive port forwarding

Search

Blogroll

Simon Žekar – unix, communications, stupidities

"Unix is simple, but it takes a genious to understand the simplicity" --Dennis Ritchie

Archived entries for pf

FreeBSD massive port forwarding

Search

Blogroll

Tags