From owner-freebsd-questions Tue Apr 10 8:55:51 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mail.biographix.com (mail.biographix.com [209.47.192.115]) by hub.freebsd.org (Postfix) with ESMTP id 8699337B423 for ; Tue, 10 Apr 2001 08:55:45 -0700 (PDT) (envelope-from eperrin@bigorbit.com) Received: from bottleneck2000 ([192.168.1.135]) by mail.biographix.com (8.11.3/8.11.3) with SMTP id f3AFt6411083; Tue, 10 Apr 2001 11:55:06 -0400 (EDT) (envelope-from eperrin@bigorbit.com) Message-ID: <01de01c0c1d7$cd3584e0$8701a8c0@bottleneck2000> From: "Elliott Perrin" To: "Roger Svenning" , "'freebsd-questions@freebsd.org'" References: Subject: Re: routed, natd & ipfirewall [config help needed] Date: Tue, 10 Apr 2001 12:03:31 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I will dig up the rc.firewall replacement I was using and fire it off to you, it was designed for use with a DMZ ----- Original Message ----- From: "Roger Svenning" To: "'Elliott Perrin'" ; "'freebsd-questions@freebsd.org'" Sent: Tuesday, April 10, 2001 10:58 AM Subject: SV: routed, natd & ipfirewall [config help needed] > Ok, running natd with -u solved the problem. THNX :) > > Some advice on how to set up ipfw with the DMZ would be appreciated :-) > > -Roger > > > -----Opprinnelig melding----- > > Fra: Roger Svenning > > Sendt: 10. april 2001 16:50 > > Til: 'Elliott Perrin'; 'freebsd-questions@freebsd.org' > > Emne: SV: routed, natd & ipfirewall [config help needed] > > > > > > Hi > > > > I know that 217.8.130.32/27 is routed properly because it > > worked when I used > > it behind natd with redirect_address > > And the fact that i get "From c12969.catch.sdsl.no (217.8.129.69): > > Destination Host Unreachable" when trying to reach a live DMZ > > address tells > > us that the ISP is forwarding the request to our router. > > > > I'm no expert in setting up ipfw and I would need some advice > > on how to > > restrict access to the local network trough the dmz zone, > > else an intruder > > which gains access to one of the dmz machine would easily go > > from there to > > our local network. > > > > Running routed, natd and ipfw is a bit confusing as I do not > > know in which > > order the different daemons are handling the packets. > > > > Just for testing purposes i have "allow ip from any to any" > > in ipfw which > > should enable packets to go from xl2 to xl1 ? > > > > -Roger > > > > > -----Opprinnelig melding----- > > > Fra: Elliott Perrin [mailto:eperrin@bigorbit.com] > > > Sendt: 10. april 2001 16:55 > > > Til: Roger Svenning; 'freebsd-questions@freebsd.org' > > > Emne: Re: routed, natd & ipfirewall [config help needed] > > > > > > > > > You have to make sure that your ISP is routing your subnet to > > > your host (possible problem, > > > first place to look) > > > > > > If the ISP is not routing the 217.8.130.32/27 subnet that you > > > are assigned to your > > > 217.8.129.69 interface sitting on their network then the > > > problem is there. (I actually had > > > this problem with our last ISP, they kept removing the routes > > > from a router and had a > > > Junior Admin that didn't understand why they had to be there) > > > > > > If they are doing that already then you probably have a > > > problem with the rules in IPFW and > > > NATD > > > > > > Make sure that you run NATD with the -u option, which will > > > translate addresses only for > > > unregistered (RFC1918) addresses and that NATD is running on > > > the external interface (in > > > your layout the 217.8.129.69 interface) > > > > > > Check through your IPFW rules to make sure you are allowing > > > your DMZ out to the world, > > > > > > eg. > > > > > > allow all from {DMZ} to any > > > > > > (don't use that rule!!!!!, it is just an example) > > > > > > Aside from that I have a modified rc.firewall that I used > > > when I was still running IPFW on > > > a three interfaced machine with LAN, DMZ and link to our ISP. > > > Let me know if you want it. > > > > > > > > > > > > ----- Original Message ----- > > > From: "Roger Svenning" > > > To: "'freebsd-questions@freebsd.org'" > > > > > Sent: Tuesday, April 10, 2001 10:15 AM > > > Subject: routed, natd & ipfirewall [config help needed] > > > > > > > > > > Hi > > > > > > > > I've been running a box with natd & ipfw for connecting our > > > local network to > > > > the internet and it works just fine. > > > > > > > > Now I want to set up a DMZ zone for servers that should > > be connected > > > > directly to the net without NAT > > > > I've added a third network card and enabled routed, but .. > > > taadaa .. it > > > > doesn't work quite as expected :-) > > > > > > > > The DMZ zone can be reached from the gateway itself and > > the internal > > > > network, but not from the internet. > > > > The routing from xl2 to xl0 trough natd works just fine. > > > > > > > > Can any1 give me some advice on how to set this configuration up ? > > > > > > > > Here's the network layout: > > > > > > > > 217.8.129.70 (ISP gateway) > > > > | > > > > -> 217.8.129.69 (xl2 interface)(255.255.255.252) > > > > | > > > > -> 217.8.130.62 (xl1 interface)(255.255.255.224) -> DMZ zone > > > > | > > > > -> 10.0.1.1 (xl0 interface)(255.255.255.0) -> Local network > > > > > > > > Roger O. Svenning > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-questions" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-questions" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message