How can you map port 8080 to 80?

[akeiron]

I'm new to freeBSD, so I'm very very very sorry for my ignorance.
I've just installed a minimal freeBSD and I have this problem with ipfw: I have a very unsafe application featuring an simple, embedded http server. I don't want to run this app as root, which means it must be bound to some unprivileged port. Let's say I choose port 8080. This is unpleasant because a user in the lan must remember the port number and digit something like http://app.office.lan:8080 in a browser, which is unacceptable. How do I map port 8080 to 80 instead, so employers can simply write app.office.lan just like any other site?
In linux netfilter the correct syntax would be (I'm currently running the app on linux where it works this way and I'm trying to switch it to freebsd):

...other stuff for managing packets with state, ssh, and so on...
iptables -t nat -A PREROUTING -s 192.168.1.0/24 -d 192.168.1.8/32 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.1.8:8080 
iptables -t nat -A POSTROUTING -s 192.168.1.8/32 -d 192.168.1.0/24 -p tcp -m tcp --sport 8080 -j SNAT --to-source 192.168.1.8:80

This is my current /etc/ipfw.rules:

ipfw -q -f flush
cmd="ipfw -q add"
$cmd 00010 allow all from any to any via lo0

$cmd 00014 divert natd tcp from any to any 80 in via le0
$cmd 00015 check-state                                      

$cmd 00250 allow tcp from any to any 22 via le0 setup keep-state
$cmd 00304 allow log tcp from any to any 80 in setup
$cmd 00305 allow tcp from any to any 80 in
$cmd 00306 allow tcp from any to any 8080 in

and this is my /etc/natd.conf

interface le0
use_sockets yes
dynamic yes

redirect_port tcp 192.168.1.8:8080 192.168.1.8:80

I'm going mad so I thought it was better to ask for help.
Thanks for your time.

 

[DutchDaemon]

Have you tried running the app on localhost and redirecting to that?

 

[malexe]

There is at least one thing wrong in your configuration

redirect_port tcp 192.168.1.8:8080 192.168.1.8:80

you are telling natd to redirect incoming packet hitting 8080 port to 80, but you want to opposite.

Incoming packet on port 80 should be redirected to 8080

redirect_port tcp 192.168.1.8:80 192.168.1.8:8080

As an alternative you could set the following sysctl to 0 instead of 1023

net.inet.ip.portrange.reservedhigh=0

That way there won't be any reserved privileged port (I have not test it, but it would be the logical behavior) and you could let your application listen on port 80 even without root.

You just have to make sure you understand the implication.

Oh, and put it in /etc/sysctl.conf so it survives the reboot

 

[anomie]

I use net/rinetd for these sorts of tasks.

If this is Apache web server, you could let Apache do the work for you (a few different ways).

 

[malexe]

I use net/rinetd for these sorts of tasks.

If this is Apache web server, you could let Apache do the work for you (a few different ways).

Nice tool! I should take a look at it :e

 

[aragon]

All you should need is an ipfw fwd rule and nothing else:

ipfw add 1000 fwd 127.0.0.1,8080 tcp from any to me 80

NAT should not be necessary...

 

[akeiron]

Thank you people, very very much...

As object says, thank you. It looks like natting is a different world in freeBSD (which is good, I am the one getting lazy in my comfortable linux ). All of the solutions seem viable to have this thing work quickly, which is what I need now. As for allowing access to privileged port, it shouldn't be an issue because I would only open port 80 on this.
I'm getting more and more interested in the *BSD world, especially freeBSD: I confess I envy the ZFS support... )))
Byez.

 

[akeiron]

You can't use fwd, can you?

Just an errata: I believe you cannot use any kind of simple forward (fwd) with ipfw because that would not change the packets in any way.
That means an application running on 8080 should
1) capture on port 8080 a tcp packet with destination port 80
2) either reply with source port 8080 to a packet that had destination port 80 OR reply with source port 80 but sending the packet through port 8080.
This should never work...:stud

 

[malexe]

So have you made it work yet ? Don't forget to tell us what you did to make it work correctly.

 

[akeiron]

So have you made it work yet ? Don't forget to tell us what you did to make it work correctly.

Well... I have put this line in /etc/sysctl.conf:

net.inet.ip.portrange.reservedhigh=79

so I can bind to the port 80 and that's all for now.
I don't like it at all, but it's running in a vmware vm so I can simply block everything except incoming connections to port 80 with state, which looks acceptable.
I'm still pretty sure NAPT is the way to go but... I'm probably missing something about freeBSD configuration because natd ignores me . I've tried everything I could think of, so it's time to rest. But I can tame freeBSD too, no doubt: once I have "The Answer" the world will know. :e
Regards

 

[aragon]

I believe you cannot use any kind of simple forward (fwd) with ipfw because that would not change the packets in any way.

Try it. If it doesn't work, ipfw's behavior has changed recently. I haven't needed to do it for years, but I ran like that for many privileged ports on a certain FreeBSD 4 system a year ago before switching to pf for all its extra features.

 

[mickey]

I believe natd is not needed anymore with recent versions of ipfw.

From ipfw(8):

     ipfw support in-kernel NAT using the kernel version of libalias(3).

     The nat configuration command is the following:

           nat nat_number config nat-configuration