From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 16 14:12:17 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9043C37B401 for ; Wed, 16 Apr 2003 14:12:17 -0700 (PDT) Received: from metroplex.netnation.com (metroplex.netnation.com [204.174.223.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id 069EE43FA3 for ; Wed, 16 Apr 2003 14:12:17 -0700 (PDT) (envelope-from freebsd@code-space.com) Received: from [66.120.33.30] (helo=neptune) by metroplex.netnation.com with asmtp (Exim 3.36 #1) id 195uCW-0006Pp-00; Wed, 16 Apr 2003 14:12:16 -0700 From: "C_Ahlers" To: "'Darren Pilgrim'" Date: Wed, 16 Apr 2003 14:12:13 -0700 Organization: code-space.com Message-ID: <000001c3045c$da5d0f20$3401a8c0@neptune> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal In-Reply-To: <20030415232349.45b4e8a1.dmp@pantherdragon.org> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 cc: freebsd-ipfw@freebsd.org Subject: RE: IPFW/NATD: Client behind firewall connecting to server behind firewall AS IF it were really EXTERNAL X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd@code-space.com List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2003 21:12:17 -0000 Thank you. I do understand what your are suggesting in principal, and I do understand the syntax of ipfw forward rules. However, I just am not sure exactly how to create the correct forward rule. Would this be correct?: ipfw add fwd a.a.a.15 all from b.b.b.0/24 to a.a.a.15 I forgot to describe earlier that: gateway_enable="YES" , Does this have any effect on the discussion? (sorry if it seems that I have concrete between my ears) C_ahlers -----Original Message----- From: Darren Pilgrim [mailto:dmp@pantherdragon.org] Sent: Tuesday, April 15, 2003 11:24 PM To: chris.ahlers@mail-space.net Cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW/NATD: Client behind firewall connecting to server behind firewall AS IF it were really EXTERNAL wrote: [trimmed for relevance] >firewall external IP = a.a.a.15 (internet ip address) firewall >internal IP = b.b.b.254 (private ip address) > >NATD: alias_address = a.a.a.15 >NATD: redirect_port tcp b.b.b.100:80 80 >NATD: deny_incoming > >webserver internal IP = b.b.b.100 >example client pc IP = b.b.b.57 >client pc gateway IP = b.b.b.254 (firewall) > <...> >However, INTERNAL hosts are unable to connect to my webserver via >a.a.a.15 (since this is not actually the webserver's address). <...> >Any suggestions? Use an ipfw forward rule for the requests coming from the LAN. Read ipfw(8) for the appropriate syntax. Explanation: a.a.a.15 is a local address according to the firewall box, so it isn't going to route anything destined for a.a.a.15 out an interface. Since natd is configured to only act upon packets crossing the external interface, it never sees the LAN-sourced requests for a.a.a.15, thus the redirection never takes place.