From owner-freebsd-questions Tue Apr 10 8:52:25 2001 Delivered-To: freebsd-questions@freebsd.org Received: from switch01.switch.no (c12969.catch.sdsl.no [217.8.129.69]) by hub.freebsd.org (Postfix) with ESMTP id 84DDA37B423 for ; Tue, 10 Apr 2001 08:52:18 -0700 (PDT) (envelope-from ros@switch.no) Received: by switch01.switch.no with Internet Mail Service (5.5.2650.21) id ; Tue, 10 Apr 2001 16:58:08 +0200 Message-ID: From: Roger Svenning To: 'Elliott Perrin' , "'freebsd-questions@freebsd.org'" Subject: SV: routed, natd & ipfirewall [config help needed] Date: Tue, 10 Apr 2001 16:58:06 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Ok, running natd with -u solved the problem. THNX :) Some advice on how to set up ipfw with the DMZ would be appreciated :-) -Roger > -----Opprinnelig melding----- > Fra: Roger Svenning > Sendt: 10. april 2001 16:50 > Til: 'Elliott Perrin'; 'freebsd-questions@freebsd.org' > Emne: SV: routed, natd & ipfirewall [config help needed] > > > Hi > > I know that 217.8.130.32/27 is routed properly because it > worked when I used > it behind natd with redirect_address > And the fact that i get "From c12969.catch.sdsl.no (217.8.129.69): > Destination Host Unreachable" when trying to reach a live DMZ > address tells > us that the ISP is forwarding the request to our router. > > I'm no expert in setting up ipfw and I would need some advice > on how to > restrict access to the local network trough the dmz zone, > else an intruder > which gains access to one of the dmz machine would easily go > from there to > our local network. > > Running routed, natd and ipfw is a bit confusing as I do not > know in which > order the different daemons are handling the packets. > > Just for testing purposes i have "allow ip from any to any" > in ipfw which > should enable packets to go from xl2 to xl1 ? > > -Roger > > > -----Opprinnelig melding----- > > Fra: Elliott Perrin [mailto:eperrin@bigorbit.com] > > Sendt: 10. april 2001 16:55 > > Til: Roger Svenning; 'freebsd-questions@freebsd.org' > > Emne: Re: routed, natd & ipfirewall [config help needed] > > > > > > You have to make sure that your ISP is routing your subnet to > > your host (possible problem, > > first place to look) > > > > If the ISP is not routing the 217.8.130.32/27 subnet that you > > are assigned to your > > 217.8.129.69 interface sitting on their network then the > > problem is there. (I actually had > > this problem with our last ISP, they kept removing the routes > > from a router and had a > > Junior Admin that didn't understand why they had to be there) > > > > If they are doing that already then you probably have a > > problem with the rules in IPFW and > > NATD > > > > Make sure that you run NATD with the -u option, which will > > translate addresses only for > > unregistered (RFC1918) addresses and that NATD is running on > > the external interface (in > > your layout the 217.8.129.69 interface) > > > > Check through your IPFW rules to make sure you are allowing > > your DMZ out to the world, > > > > eg. > > > > allow all from {DMZ} to any > > > > (don't use that rule!!!!!, it is just an example) > > > > Aside from that I have a modified rc.firewall that I used > > when I was still running IPFW on > > a three interfaced machine with LAN, DMZ and link to our ISP. > > Let me know if you want it. > > > > > > > > ----- Original Message ----- > > From: "Roger Svenning" > > To: "'freebsd-questions@freebsd.org'" > > > Sent: Tuesday, April 10, 2001 10:15 AM > > Subject: routed, natd & ipfirewall [config help needed] > > > > > > > Hi > > > > > > I've been running a box with natd & ipfw for connecting our > > local network to > > > the internet and it works just fine. > > > > > > Now I want to set up a DMZ zone for servers that should > be connected > > > directly to the net without NAT > > > I've added a third network card and enabled routed, but .. > > taadaa .. it > > > doesn't work quite as expected :-) > > > > > > The DMZ zone can be reached from the gateway itself and > the internal > > > network, but not from the internet. > > > The routing from xl2 to xl0 trough natd works just fine. > > > > > > Can any1 give me some advice on how to set this configuration up ? > > > > > > Here's the network layout: > > > > > > 217.8.129.70 (ISP gateway) > > > | > > > -> 217.8.129.69 (xl2 interface)(255.255.255.252) > > > | > > > -> 217.8.130.62 (xl1 interface)(255.255.255.224) -> DMZ zone > > > | > > > -> 10.0.1.1 (xl0 interface)(255.255.255.0) -> Local network > > > > > > Roger O. Svenning > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message