Date: Tue, 10 Apr 2001 16:58:06 +0200 From: Roger Svenning <ros@switch.no> To: 'Elliott Perrin' <eperrin@bigorbit.com>, "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG> Subject: SV: routed, natd & ipfirewall [config help needed] Message-ID: <E13BBFD5DA06D411ADC600508BC25BF714426C@switch01.switch.no>
next in thread | raw e-mail | index | archive | help
Ok, running natd with -u solved the problem. THNX :)
Some advice on how to set up ipfw with the DMZ would be appreciated :-)
-Roger
> -----Opprinnelig melding-----
> Fra: Roger Svenning
> Sendt: 10. april 2001 16:50
> Til: 'Elliott Perrin'; 'freebsd-questions@freebsd.org'
> Emne: SV: routed, natd & ipfirewall [config help needed]
>
>
> Hi
>
> I know that 217.8.130.32/27 is routed properly because it
> worked when I used
> it behind natd with redirect_address
> And the fact that i get "From c12969.catch.sdsl.no (217.8.129.69):
> Destination Host Unreachable" when trying to reach a live DMZ
> address tells
> us that the ISP is forwarding the request to our router.
>
> I'm no expert in setting up ipfw and I would need some advice
> on how to
> restrict access to the local network trough the dmz zone,
> else an intruder
> which gains access to one of the dmz machine would easily go
> from there to
> our local network.
>
> Running routed, natd and ipfw is a bit confusing as I do not
> know in which
> order the different daemons are handling the packets.
>
> Just for testing purposes i have "allow ip from any to any"
> in ipfw which
> should enable packets to go from xl2 to xl1 ?
>
> -Roger
>
> > -----Opprinnelig melding-----
> > Fra: Elliott Perrin [mailto:eperrin@bigorbit.com]
> > Sendt: 10. april 2001 16:55
> > Til: Roger Svenning; 'freebsd-questions@freebsd.org'
> > Emne: Re: routed, natd & ipfirewall [config help needed]
> >
> >
> > You have to make sure that your ISP is routing your subnet to
> > your host (possible problem,
> > first place to look)
> >
> > If the ISP is not routing the 217.8.130.32/27 subnet that you
> > are assigned to your
> > 217.8.129.69 interface sitting on their network then the
> > problem is there. (I actually had
> > this problem with our last ISP, they kept removing the routes
> > from a router and had a
> > Junior Admin that didn't understand why they had to be there)
> >
> > If they are doing that already then you probably have a
> > problem with the rules in IPFW and
> > NATD
> >
> > Make sure that you run NATD with the -u option, which will
> > translate addresses only for
> > unregistered (RFC1918) addresses and that NATD is running on
> > the external interface (in
> > your layout the 217.8.129.69 interface)
> >
> > Check through your IPFW rules to make sure you are allowing
> > your DMZ out to the world,
> >
> > eg.
> >
> > allow all from {DMZ} to any
> >
> > (don't use that rule!!!!!, it is just an example)
> >
> > Aside from that I have a modified rc.firewall that I used
> > when I was still running IPFW on
> > a three interfaced machine with LAN, DMZ and link to our ISP.
> > Let me know if you want it.
> >
> >
> >
> > ----- Original Message -----
> > From: "Roger Svenning" <ros@switch.no>
> > To: "'freebsd-questions@freebsd.org'"
> <freebsd-questions@FreeBSD.ORG>
> > Sent: Tuesday, April 10, 2001 10:15 AM
> > Subject: routed, natd & ipfirewall [config help needed]
> >
> >
> > > Hi
> > >
> > > I've been running a box with natd & ipfw for connecting our
> > local network to
> > > the internet and it works just fine.
> > >
> > > Now I want to set up a DMZ zone for servers that should
> be connected
> > > directly to the net without NAT
> > > I've added a third network card and enabled routed, but ..
> > taadaa .. it
> > > doesn't work quite as expected :-)
> > >
> > > The DMZ zone can be reached from the gateway itself and
> the internal
> > > network, but not from the internet.
> > > The routing from xl2 to xl0 trough natd works just fine.
> > >
> > > Can any1 give me some advice on how to set this configuration up ?
> > >
> > > Here's the network layout:
> > >
> > > 217.8.129.70 (ISP gateway)
> > > |
> > > -> 217.8.129.69 (xl2 interface)(255.255.255.252)
> > > |
> > > -> 217.8.130.62 (xl1 interface)(255.255.255.224) -> DMZ zone
> > > |
> > > -> 10.0.1.1 (xl0 interface)(255.255.255.0) -> Local network
> > >
> > > Roger O. Svenning
> > >
> > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > with "unsubscribe freebsd-questions" in the body of the message
> > >
> >
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E13BBFD5DA06D411ADC600508BC25BF714426C>