I vote for VladiBG's solution but I prefer separate NAT rule as I want to limit NAT on the outside interface as much as possible. I may have other VM's bridged on the outside inferface that I don't want to nat for example. Also I once saw a router setup (I didn't do it lol) to NAT everything (internal connections as well) and this played havoc with a splynx server trying to talk to a mikrotik router on a separate subnet (all ssh connections between subnets showed up as from the router) until I changed the nat rule to nat only external traffic. There are two ways to do redirects with ipfw that I know of 1) If the redirected IP is different 2) The redirected IP is the same or different and the setup is more complicate. Apache Proxy and Proxy Reverse will work but I did notice a big enough performance difference, ipfw kernel nat was faster.
1) Is simple and this example forwards outside interface ip xxx.xxx.xxx.xxx port 8080 to the localhost ip port 80
# this will not work if the fwd ip and external ip are the same
# do not add accept rule before fwd or it won't work
${fwcmd} add fwd 127.0.0.1,80 tcp from any to ${ip} 8080 in via ${oif}
2) Forwarded IP is the same or different like a VM that needs to answer requests from the hosts external IP see ...
Computing Topics
coragarden.com
This page has full instructions for settings in /boot/loader.conf /etc/sysctl.conf and rc.conf as well as ipfw.rules shown here...
Edit /etc/ipfw.rules
—————
#!/bin/sh
fwcmd=”ipfw -q”
oif=”em0″
net=”10.200.10.0/24″
vmip=”10.88.88.88″
natnet=”10.88.88.0/24″
#trusted1=”123.456.789.0/24″
trusted1=”123.456.789.111″
# avoid net.inet.ip.fw.one_pass=0
# try to avoid statefull
ipfw -q -f flush
${fwcmd} add allow ip from any to any via lo0
${fwcmd} add deny ip from any to 127.0.0.0/8
${fwcmd} add deny ip from 127.0.0.0/8 to any
${fwcmd} add deny ip from any to ::1
${fwcmd} add deny ip from ::1 to any
${fwcmd} add allow ipv6-icmp from :: to ff02::/16
${fwcmd} add allow ipv6-icmp from fe80::/10 to fe80::/10
${fwcmd} add allow ipv6-icmp from fe80::/10 to ff02::/16
${fwcmd} add allow ipv6-icmp from any to any icmp6types 1
${fwcmd} add allow ipv6-icmp from any to any icmp6types 2,135,136
# reassemble inbound packets
# ${fwcmd} add reass all from any to any in
ipfw -q nat 1 config if ${oif} same_ports unreg_only reset \
redirect_port tcp ${vmip}:22 22222 \
redirect_port tcp ${vmip}:81 81 \
redirect_port tcp ${vmip}:444 444 \
redirect_port tcp ${vmip}:8080 8080 \
redirect_port tcp ${vmip}:8443 8443 \
redirect_port tcp ${vmip}:25 25 \
redirect_port tcp ${vmip}:119 119 \
redirect_port tcp ${vmip}:143 143 \
redirect_port tcp ${vmip}:389 389 \
redirect_port tcp ${vmip}:465 465 \
redirect_port tcp ${vmip}:587 587 \
redirect_port tcp ${vmip}:993 993 \
redirect_port tcp ${vmip}:995 995 \
redirect_port tcp ${vmip}:7071 7071 \
redirect_port tcp ${vmip}:7073 7073 \
redirect_port tcp ${vmip}:7025 7025
# NOTE YOU CAN’T DO ACCEPT IN ON ABOVE PORTS eg 22222
# Use Apache to redirect to https on 444 / eg no http allowed
# Using Apache Proxy/Reverse to 10.88.88.88:81 works also
# NAT
${fwcmd} add nat 1 ip from ${natnet} to any out via ${oif}
${fwcmd} add nat 1 ip from any to me in via ${oif}
# Allow limited broadcast traffic from my own net.
${fwcmd} add pass all from ${net} to 255.255.255.255
# Allow any traffic to or from my own net.
${fwcmd} add pass all from me to ${net}
${fwcmd} add pass all from ${net} to me
# Allow setup of incoming https request
${fwcmd} add pass tcp from any to me 80,443 in via ${oif}
# SSH WIDE OPEN TEMP
# ${fwcmd} add pass tcp from any to me 22 in via ${oif}
# Deny ssh from NATNET / don’t trust ssh from the VM
${fwcmd} add deny tcp from ${natnet} to me 22
# TEMP allow ssh traffic to my test net
# ${fwcmd} add pass tcp from 10.200.0.0/16 to me 22 in via ${oif}
# ${fwcmd} add pass tcp from me to 10.200.0.0/16 22 in via ${oif}
# TRUSTED NET OR HOST
${fwcmd} add pass tcp from ${trusted1} to me 22 in via ${oif}
${fwcmd} add pass icmp from ${trusted1} to me
${fwcmd} add pass udp from ${trusted1} to me
# deny all other SSH requests
${fwcmd} add deny tcp from any to me 22 in via ${oif}
# Allow TCP through if setup succeeded
${fwcmd} add pass tcp from any to any established
# Allow IP fragments to pass through
${fwcmd} add pass all from any to any frag
# Allow setup of incoming email
# disable external mail, this host forwards mail to VM
# ${fwcmd} add pass tcp from any to me 25 setup
# another service to host I want to allow for example
${fwcmd} add pass tcp from any to me 23232 in via ${oif}
# NATNET
${fwcmd} add allow ip from ${natnet} to any
${fwcmd} add allow ip from any to ${natnet}
# OUT SIMPLE
${fwcmd} add allow tcp from me to any setup keep-state
${fwcmd} add allow udp from me to any keep-state
${fwcmd} add allow icmp from me to any keep-state
# Global Deny
${fwcmd} add deny ip from any to any
Something like this should work.