natd -redirect_port question
I have natd set up on a 4.10 box to get the rest of my network on the internet. I have an application that requires connections to be able to be established on a specific port. The problem is, sometimes I run this app on system A and sometimes on system B. The port stays the same. So in my rc.conf I have included in natd_flags -redirect_port tcp systemA:port port ; currently if I want to use the app on system B I'm having to reboot the natd box. Obviously this seems silly, however, I've found that trying to reset this information using a command line like: natd -n dc0 -redirect_port systemB:port port results in an errror stating redirect can't bind to that port, because it's already in use. I'm convinced I'm overlooking an easy way to change this redirect on the fly without having to reboot the natd box. Anyone care to point me the right direction? Thanks in advance. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd -redirect_port question
I have natd set up on a 4.10 box to get the rest of my network on the internet. I have an application that requires connections to be able to be established on a specific port. The problem is, sometimes I run this app on system A and sometimes on system B. The port stays the same. So in my rc.conf I have included in natd_flags -redirect_port tcp systemA:port port ; currently if I want to use the app on system B I'm having to reboot the natd box. Obviously this seems silly, however, I've found that trying to reset this information using a command line like: natd -n dc0 -redirect_port systemB:port port results in an errror stating redirect can't bind to that port, because it's already in use. I'm convinced I'm overlooking an easy way to change this redirect on the fly without having to reboot the natd box. Anyone care to point me the right direction? Thanks in advance. If you already have natd running, then you need to stop it first before starting it up again. -- Matt Emmerton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd -redirect_port
On Saturday 15 May 2004 18:56, JJB wrote: You are wrong also. The boot time message that displays about the ipfw module being loaded is incorrect. I filed an PR on that in 5.1 and was told by developers that message is misleading, that the module is fully enabled with nat and logging, so I tested and indeed nat and logging is really in the loadable module. It's my understanding the boot time message that displays about the ipfw module being loaded that says everything is disabled will be corrected in 5.3. What is in the 5.2.1 ipfw module I do not know. My advice is to test ipfw module before adding ipfw option statements to kernel. That's why the 5.x versions are development versions, things change all the time until that get corrected before be coming stable releases. This is all new because ipfw2 replaced ipfw at the 5.1 version I believe. Just think about it, why have an loadable module if all the options are turned off, it makes the module useless. Ipfilter's loadable module is full function with nat and logging why should the ipfw module be any different? It's just that stupid message that has been misleading users all this time just like it did to me. If nat and logging is missing from the ipfw loadable module in 5.2.1 then submit another PR to remind then it needs to be corrected. Nat and logging are the most used options of ipfw, it's just plain stupid not to have then included in the standard module. If a user wants ipfw to issue the correct initial divert message, it's still required to compile ipfw into the kernel. This means 'option IPFIREWALL' is required as stated in the natd manual. Actually on 5.2-current the ipfw module doesn't know if the kernel has been compiled with ipdivert proto. This causes the wrong 'divert disabled' initial message. I will file a PR on the wrong initial divert message issue tomorrow. If the ipdivert proto capability could be retrieved via divcb sysctl or any other mechanism, it might become possible that the ipfw kld could issue the correct divert message. Disabling of the divert message in case the ipfw has been compiled as kld could be a simpler solution. -Original Message- From: Micheal Patterson [mailto:[EMAIL PROTECTED] Sent: Saturday, May 15, 2004 11:38 AM To: [EMAIL PROTECTED]; Christian Hiris; [EMAIL PROTECTED] Cc: Anthony Philipp Subject: Re: natd -redirect_port - Original Message - From: JJB [EMAIL PROTECTED] To: Christian Hiris [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: Anthony Philipp [EMAIL PROTECTED] Sent: Saturday, May 15, 2004 8:05 AM Subject: RE: natd -redirect_port You are wrong, you do not have to compile ipfirewall kernel options into the kernel. IPFW is delivered as an bootable module. You need this in rc.conf to enable ipfw, it will auto load the bootable module. # Required For IPFW kernel firewall support firewall_enable=YES # Start daemon firewall_script=/etc/ipfw.rules # run my custom rules firewall_logging=YES# Enable events logging natd_enable=YES # Enable IPFW nat function natd_interface=rl0 natd_flags=-dynamic -m -u -f /etc/natd.conf You're right, you don't have to recompile to use ipfw, however, since there is no divert module, the kernel will still need to be recompiled to enable divert. In order for the OP to do what they're wanting to do they will still need to recompile kernel and restart the system. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Christian Hiris [EMAIL PROTECTED] | OpenPGP KeyID 0x941B6B0B OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu pgpnzjpbaGUZp.pgp Description: signature
RE: natd -redirect_port
Now wouldn't it just be better all the way around to create the IPFW loadable module that is distributed with the system, with the correct divert and logging options so it's not an mandatory requirement to compile the kernel. Why make this so difficult for the normal user?. Simpler and easier is always better than more complicated. Look at it this way, A firewall without logging is useless, and the majority of people who use IPFW have an lan behind their IPFW firewall, so the sensible thing to do is distribute the IPFW loadable module configured in an manner to address the needs of the largest user group. As it's distributed now the loadable module is all most completely useless so why even have one? My personal option is the IPFW loadable module is not configured correctly and needs to be corrected. -Original Message- From: Christian Hiris [mailto:[EMAIL PROTECTED] Sent: Monday, May 17, 2004 8:32 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: Micheal Patterson; Anthony Philipp Subject: Re: natd -redirect_port On Saturday 15 May 2004 18:56, JJB wrote: You are wrong also. The boot time message that displays about the ipfw module being loaded is incorrect. I filed an PR on that in 5.1 and was told by developers that message is misleading, that the module is fully enabled with nat and logging, so I tested and indeed nat and logging is really in the loadable module. It's my understanding the boot time message that displays about the ipfw module being loaded that says everything is disabled will be corrected in 5.3. What is in the 5.2.1 ipfw module I do not know. My advice is to test ipfw module before adding ipfw option statements to kernel. That's why the 5.x versions are development versions, things change all the time until that get corrected before be coming stable releases. This is all new because ipfw2 replaced ipfw at the 5.1 version I believe. Just think about it, why have an loadable module if all the options are turned off, it makes the module useless. Ipfilter's loadable module is full function with nat and logging why should the ipfw module be any different? It's just that stupid message that has been misleading users all this time just like it did to me. If nat and logging is missing from the ipfw loadable module in 5.2.1 then submit another PR to remind then it needs to be corrected. Nat and logging are the most used options of ipfw, it's just plain stupid not to have then included in the standard module. If a user wants ipfw to issue the correct initial divert message, it's still required to compile ipfw into the kernel. This means 'option IPFIREWALL' is required as stated in the natd manual. Actually on 5.2-current the ipfw module doesn't know if the kernel has been compiled with ipdivert proto. This causes the wrong 'divert disabled' initial message. I will file a PR on the wrong initial divert message issue tomorrow. If the ipdivert proto capability could be retrieved via divcb sysctl or any other mechanism, it might become possible that the ipfw kld could issue the correct divert message. Disabling of the divert message in case the ipfw has been compiled as kld could be a simpler solution. -Original Message- From: Micheal Patterson [mailto:[EMAIL PROTECTED] Sent: Saturday, May 15, 2004 11:38 AM To: [EMAIL PROTECTED]; Christian Hiris; [EMAIL PROTECTED] Cc: Anthony Philipp Subject: Re: natd -redirect_port - Original Message - From: JJB [EMAIL PROTECTED] To: Christian Hiris [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: Anthony Philipp [EMAIL PROTECTED] Sent: Saturday, May 15, 2004 8:05 AM Subject: RE: natd -redirect_port You are wrong, you do not have to compile ipfirewall kernel options into the kernel. IPFW is delivered as an bootable module. You need this in rc.conf to enable ipfw, it will auto load the bootable module. # Required For IPFW kernel firewall support firewall_enable=YES # Start daemon firewall_script=/etc/ipfw.rules # run my custom rules firewall_logging=YES# Enable events logging natd_enable=YES # Enable IPFW nat function natd_interface=rl0 natd_flags=-dynamic -m -u -f /etc/natd.conf You're right, you don't have to recompile to use ipfw, however, since there is no divert module, the kernel will still need to be recompiled to enable divert. In order for the OP to do what they're wanting to do they will still need to recompile kernel and restart the system. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message
Re: natd -redirect_port
On Saturday 15 May 2004 07:49, Anthony Philipp wrote: hello, im am trying to redirect various ports through my gateway, a freebsd machine, to other machines. when i type: natd -interface rl0 -redirect_port tcp 10.10.10.4:25 25 to redirect port 25 to 10.10.10.4 on port 25 it tells me natd: Unable to create divert socket.: Protocol not supported rl0 is the external ethernet card. if i dont use -interface, it says that the aliasing address is not given. any help is appreciated. am i running freebsd 5.2-release anthony ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Natd requires 'options IPFIREWALL' and 'options IPDIVERT' in your kernel config. Refer to section RUNNING NATD in the natd(8) manual for some more info. regards ch -- Christian Hiris [EMAIL PROTECTED] | OpenPGP KeyID 0x941B6B0B OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu pgp1vn8BHWioG.pgp Description: signature
RE: natd -redirect_port
You are wrong, you do not have to compile ipfirewall kernel options into the kernel. IPFW is delivered as an bootable module. You need this in rc.conf to enable ipfw, it will auto load the bootable module. # Required For IPFW kernel firewall support firewall_enable=YES # Start daemon firewall_script=/etc/ipfw.rules # run my custom rules firewall_logging=YES# Enable events logging natd_enable=YES # Enable IPFW nat function natd_interface=rl0 natd_flags=-dynamic -m -u -f /etc/natd.conf -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Christian Hiris Sent: Saturday, May 15, 2004 3:06 AM To: [EMAIL PROTECTED] Cc: Anthony Philipp Subject: Re: natd -redirect_port On Saturday 15 May 2004 07:49, Anthony Philipp wrote: hello, im am trying to redirect various ports through my gateway, a freebsd machine, to other machines. when i type: natd -interface rl0 -redirect_port tcp 10.10.10.4:25 25 to redirect port 25 to 10.10.10.4 on port 25 it tells me natd: Unable to create divert socket.: Protocol not supported rl0 is the external ethernet card. if i dont use -interface, it says that the aliasing address is not given. any help is appreciated. am i running freebsd 5.2-release anthony ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Natd requires 'options IPFIREWALL' and 'options IPDIVERT' in your kernel config. Refer to section RUNNING NATD in the natd(8) manual for some more info. regards ch -- Christian Hiris [EMAIL PROTECTED] | OpenPGP KeyID 0x941B6B0B OpenPGP-Key at hkp://wwwkeys.eu.pgp.net and http://pgp.mit.edu ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: natd -redirect_port
- Original Message - From: JJB [EMAIL PROTECTED] To: Christian Hiris [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: Anthony Philipp [EMAIL PROTECTED] Sent: Saturday, May 15, 2004 8:05 AM Subject: RE: natd -redirect_port You are wrong, you do not have to compile ipfirewall kernel options into the kernel. IPFW is delivered as an bootable module. You need this in rc.conf to enable ipfw, it will auto load the bootable module. # Required For IPFW kernel firewall support firewall_enable=YES # Start daemon firewall_script=/etc/ipfw.rules # run my custom rules firewall_logging=YES# Enable events logging natd_enable=YES # Enable IPFW nat function natd_interface=rl0 natd_flags=-dynamic -m -u -f /etc/natd.conf You're right, you don't have to recompile to use ipfw, however, since there is no divert module, the kernel will still need to be recompiled to enable divert. In order for the OP to do what they're wanting to do they will still need to recompile kernel and restart the system. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: natd -redirect_port
You are wrong also. The boot time message that displays about the ipfw module being loaded is incorrect. I filed an PR on that in 5.1 and was told by developers that message is misleading, that the module is fully enabled with nat and logging, so I tested and indeed nat and logging is really in the loadable module. It's my understanding the boot time message that displays about the ipfw module being loaded that says everything is disabled will be corrected in 5.3. What is in the 5.2.1 ipfw module I do not know. My advice is to test ipfw module before adding ipfw option statements to kernel. That's why the 5.x versions are development versions, things change all the time until that get corrected before be coming stable releases. This is all new because ipfw2 replaced ipfw at the 5.1 version I believe. Just think about it, why have an loadable module if all the options are turned off, it makes the module useless. Ipfilter's loadable module is full function with nat and logging why should the ipfw module be any different? It's just that stupid message that has been misleading users all this time just like it did to me. If nat and logging is missing from the ipfw loadable module in 5.2.1 then submit another PR to remind then it needs to be corrected. Nat and logging are the most used options of ipfw, it's just plain stupid not to have then included in the standard module. -Original Message- From: Micheal Patterson [mailto:[EMAIL PROTECTED] Sent: Saturday, May 15, 2004 11:38 AM To: [EMAIL PROTECTED]; Christian Hiris; [EMAIL PROTECTED] Cc: Anthony Philipp Subject: Re: natd -redirect_port - Original Message - From: JJB [EMAIL PROTECTED] To: Christian Hiris [EMAIL PROTECTED]; [EMAIL PROTECTED] Cc: Anthony Philipp [EMAIL PROTECTED] Sent: Saturday, May 15, 2004 8:05 AM Subject: RE: natd -redirect_port You are wrong, you do not have to compile ipfirewall kernel options into the kernel. IPFW is delivered as an bootable module. You need this in rc.conf to enable ipfw, it will auto load the bootable module. # Required For IPFW kernel firewall support firewall_enable=YES # Start daemon firewall_script=/etc/ipfw.rules # run my custom rules firewall_logging=YES# Enable events logging natd_enable=YES # Enable IPFW nat function natd_interface=rl0 natd_flags=-dynamic -m -u -f /etc/natd.conf You're right, you don't have to recompile to use ipfw, however, since there is no divert module, the kernel will still need to be recompiled to enable divert. In order for the OP to do what they're wanting to do they will still need to recompile kernel and restart the system. -- Micheal Patterson TSG Network Administration 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd -redirect_port
hello, im am trying to redirect various ports through my gateway, a freebsd machine, to other machines. when i type: natd -interface rl0 -redirect_port tcp 10.10.10.4:25 25 to redirect port 25 to 10.10.10.4 on port 25 it tells me natd: Unable to create divert socket.: Protocol not supported rl0 is the external ethernet card. if i dont use -interface, it says that the aliasing address is not given. any help is appreciated. am i running freebsd 5.2-release anthony ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
redirect_port
Hi there, Using nat on my gateway to forward traffic on many ports the same internal machine, what is the correct syntax? redirect_port x.x.x.x zz zz redirect_port x.x.x.x yy yy redirect_port x x x x nn nn or redirect_port x.x.x.x zz,yy,nn zz,yy,nn or with some other separator or what? Thanks - this is driving me up the wall, the only way I can find is to redirect a whole range, redirect_port xx-nn xx-nn but some of the ports in the range are insecure so that means I have to secure the internal machine which kind of defeats the object of having a firewall on my external machine in the first place. Thanks again Matthew Ryan [EMAIL PROTECTED] Matt Ryan Director, Loose Connection Ltd --- [EMAIL PROTECTED] http://looseconnection.com Office/Fax 07092 013375 Mobile 07977 237476 --- Wireless Networking Internet Services ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: redirect_port
Hi, /sbin/natd -redirect_port tcp x.x.x.x:z z -redirect_port tcp x.x.x.x:y y -n rl0 Regards SSR From: Matthew Ryan [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: redirect_port Date: Fri, 25 Jul 2003 02:12:45 +0100 Hi there, Using nat on my gateway to forward traffic on many ports the same internal machine, what is the correct syntax? redirect_port x.x.x.x zz zz redirect_port x.x.x.x yy yy redirect_port x x x x nn nn or redirect_port x.x.x.x zz,yy,nn zz,yy,nn or with some other separator or what? Thanks - this is driving me up the wall, the only way I can find is to redirect a whole range, redirect_port xx-nn xx-nn but some of the ports in the range are insecure so that means I have to secure the internal machine which kind of defeats the object of having a firewall on my external machine in the first place. Thanks again Matthew Ryan [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] _ Travel plans? Click here. http://www.msn.co.in/Travel Sit back relax! ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
re: redirect_port
Derrick Ryalls [EMAIL PROTECTED] wrote: Hi there, =20 Using nat on my gateway to forward traffic on many ports the same=20 internal machine, what is the correct syntax? =20 redirect_port x.x.x.x zz zz redirect_port x.x.x.x yy yy redirect_port x x x x nn nn =20 Copied from my natd.conf redirect_port tcp 192.168.0.20:22 5520 redirect_port udp 192.168.0.20:22 5520 The 5520 is the outside port number This could be the solution I was seeking... If I have opened, say, port 5 for incoming ftp traffic, would it be as simple as: redirect_port tcp 192.168.0.20:21 5 redirect_port udp 192.168.0.20:21 5 If so, what do I do allow outgoing ftp traffic/packets? Thanks! ~John - Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
redirect_port
Hi there, Using nat on my gateway to forward traffic on many ports the same internal machine, what is the correct syntax? redirect_port x.x.x.x zz zz redirect_port x.x.x.x yy yy redirect_port x x x x nn nn or redirect_port x.x.x.x zz,yy,nn zz,yy,nn or with some other separator or what? Thanks - this is driving me up the wall, the only way I can find is to redirect a whole range, redirect_port xx-nn xx-nn but some of the ports in the range are insecure so that means I have to secure the internal machine which kind of defeats the object of having a firewall on my external machine in the first place. Thanks again Matthew Ryan [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: redirect_port
Hi there, Using nat on my gateway to forward traffic on many ports the same internal machine, what is the correct syntax? redirect_port x.x.x.x zz zz redirect_port x.x.x.x yy yy redirect_port x x x x nn nn Copied from my natd.conf redirect_port tcp 192.168.0.20:22 5520 redirect_port udp 192.168.0.20:22 5520 The 5520 is the outside port number ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
natd redirect_port changes source address?
I recently setup ipfw and natd on my freebsd box. I added the appropriate command line options to make natd forward 4 tcp ports on the external address to a box on the internal subnet. This appears to work, except that natd is rewriting the original source address such that connections to the internal box appear to come from my external IP address. Is this behavior normal for natd, or do I have something configured incorrectly? Previously, I was using a cisco 675 to do natd, and the source address was not modified during translation. I would much prefer that the source address not be modified, as this makes it impossible for the internal box to know who is connecting. Thanks for any help, mdr -- Matthew D. Rench ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Working IPFW + REDIRECT_PORT + NATD Solution
Hi I have posted several messages regarding getting outside nic ports translated to internal server. Does anyone have a working solution? Gordon To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: IPFW + NATD with redirect_port
I want to redirect incoming ssh packet to another box internally. I have got the following as my /etc/natd.conf dynamic yes log_denied yes use_sockets yes same_ports yes unregistered_only redirect_port tcp 192.168.0.200:22 4455 When I try to ssh to port 4455 I get nothing - I have ipfw running - do I need any specific rules to get this working. I have tried ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup but it doesn't seem to work. Gordon, Your natd setup looks OK to me. I'm wondering whether your ipfw isn't blocking connection attempts. Do you have a rule that allows tcp connections to port 4455? And another to allow connections from NAT box to ssh box on port 22? And when you try to connect to port 4455 on your NAT box, you do it from the exterior, right? Hope this helps, Jonathan To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
IPFW + NATD with redirect_port
Hi I want to redirect incoming ssh packet to another box internally. I have got the following as my /etc/natd.conf dynamic yes log_denied yes use_sockets yes same_ports yes unregistered_only redirect_port tcp 192.168.0.200:22 4455 When I try to ssh to port 4455 I get nothing - I have ipfw running - do I need any specific rules to get this working. I have tried ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup but it doesn't seem to work. Thanks all Gordon To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message