Date: Tue, 10 Apr 2001 16:49:59 +0200 From: Roger Svenning <ros@switch.no> To: 'Elliott Perrin' <eperrin@bigorbit.com>, "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG> Subject: SV: routed, natd & ipfirewall [config help needed] Message-ID: <E13BBFD5DA06D411ADC600508BC25BF714426B@switch01.switch.no>
next in thread | raw e-mail | index | archive | help
Hi
I know that 217.8.130.32/27 is routed properly because it worked when I used
it behind natd with redirect_address
And the fact that i get "From c12969.catch.sdsl.no (217.8.129.69):
Destination Host Unreachable" when trying to reach a live DMZ address tells
us that the ISP is forwarding the request to our router.
I'm no expert in setting up ipfw and I would need some advice on how to
restrict access to the local network trough the dmz zone, else an intruder
which gains access to one of the dmz machine would easily go from there to
our local network.
Running routed, natd and ipfw is a bit confusing as I do not know in which
order the different daemons are handling the packets.
Just for testing purposes i have "allow ip from any to any" in ipfw which
should enable packets to go from xl2 to xl1 ?
-Roger
> -----Opprinnelig melding-----
> Fra: Elliott Perrin [mailto:eperrin@bigorbit.com]
> Sendt: 10. april 2001 16:55
> Til: Roger Svenning; 'freebsd-questions@freebsd.org'
> Emne: Re: routed, natd & ipfirewall [config help needed]
>
>
> You have to make sure that your ISP is routing your subnet to
> your host (possible problem,
> first place to look)
>
> If the ISP is not routing the 217.8.130.32/27 subnet that you
> are assigned to your
> 217.8.129.69 interface sitting on their network then the
> problem is there. (I actually had
> this problem with our last ISP, they kept removing the routes
> from a router and had a
> Junior Admin that didn't understand why they had to be there)
>
> If they are doing that already then you probably have a
> problem with the rules in IPFW and
> NATD
>
> Make sure that you run NATD with the -u option, which will
> translate addresses only for
> unregistered (RFC1918) addresses and that NATD is running on
> the external interface (in
> your layout the 217.8.129.69 interface)
>
> Check through your IPFW rules to make sure you are allowing
> your DMZ out to the world,
>
> eg.
>
> allow all from {DMZ} to any
>
> (don't use that rule!!!!!, it is just an example)
>
> Aside from that I have a modified rc.firewall that I used
> when I was still running IPFW on
> a three interfaced machine with LAN, DMZ and link to our ISP.
> Let me know if you want it.
>
>
>
> ----- Original Message -----
> From: "Roger Svenning" <ros@switch.no>
> To: "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG>
> Sent: Tuesday, April 10, 2001 10:15 AM
> Subject: routed, natd & ipfirewall [config help needed]
>
>
> > Hi
> >
> > I've been running a box with natd & ipfw for connecting our
> local network to
> > the internet and it works just fine.
> >
> > Now I want to set up a DMZ zone for servers that should be connected
> > directly to the net without NAT
> > I've added a third network card and enabled routed, but ..
> taadaa .. it
> > doesn't work quite as expected :-)
> >
> > The DMZ zone can be reached from the gateway itself and the internal
> > network, but not from the internet.
> > The routing from xl2 to xl0 trough natd works just fine.
> >
> > Can any1 give me some advice on how to set this configuration up ?
> >
> > Here's the network layout:
> >
> > 217.8.129.70 (ISP gateway)
> > |
> > -> 217.8.129.69 (xl2 interface)(255.255.255.252)
> > |
> > -> 217.8.130.62 (xl1 interface)(255.255.255.224) -> DMZ zone
> > |
> > -> 10.0.1.1 (xl0 interface)(255.255.255.0) -> Local network
> >
> > Roger O. Svenning
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> >
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E13BBFD5DA06D411ADC600508BC25BF714426B>