Date: Mon, 11 Jun 2001 16:47:29 +0200 From: "Robin Huiser" <robin@bequbed.com> To: <freebsd-security@FreeBSD.ORG> Subject: FW: ipfw, natd and routing question Message-ID: <DEEJKCBNGEENMLAHPCPEOEPLCGAA.robin@bequbed.com>
next in thread | raw e-mail | index | archive | help
Hi all,
I hope someone can help me with this problem I'm trying to solve. I think
the answer is trivial, but so far I 'm stuck.
Our FreeBSD 4.2-STABLE firewall has three network cards as shown below:
-- DMZ
/
EXT--FIREWALL---
\
-- LAN
-The EXT interface: connected to the Internet, IP subnet x.x.242.32/240
-The DMZ interface: connected to our DMZ subnet, IP subnet x.x.242.48/240
-The LAN interface: connected to our LAN subnet, IP subnet 192.168.1.0/24
I use NAT to 'route' traffic from the LAN to the Internet
I use ipfw rules to ROUTE traffic from the Internet to the DMZ subnet
So far, so good.
But... how do I prevent the NAT to 'translate' the IP addresses when a
session is set up from the DMZ segment to a host somewhere on the Internet?
I want all traffic to be routed from the DMZ subnet to the Internet...
I've tried to alter the natd rule, without any success.
The rules I tried didn't work or had bad side effects, so I moved back to
the standard natd rule, but everything gets NAT-ed now...
Some examples I tried:
#
# The rule below works, but the it causes TCP/IP timeouts and a *very* slow
# connection between the DMZ and EXT subnets...
#
${fwcmd} add divert natd all from not x.x.242.48:255.255.255.240 to any
via ${natd_interface}
#
# The rule below doesn't work at all (?) Don't know why...
#
${fwcmd} add divert natd all from 192.168.1.0:255.255.255.0 to any via
${natd_interface}
Please advise...
Cheers -- Robin
__________________________________________________________________
Robin Huiser robin@bequbed.com
BeQubed N.V. http://www.bequbed.com
Veenwal 130 tel: +31 (30) 6023 626 (OFFICE)
3432 ZE +31 (6) 2061 9842 (MOBILE)
Nieuwegein fax: +31 (30) 6586 090
The Netherlands
__________________________________________________________________
======================Confidential Disclaimer=====================
The information contained in this communication is confidential and is
intended solely for the use of the individual or entity to whom it is
addressed. You should not copy, disclose or distribute this communication
without the authority of BeQubed N.V. BeQubed is neither liable for the
proper and complete transmission of the information contained in this
communication nor for any delay in its receipt.
BeQubed does not guarantee that the integrity of this communication has been
maintained nor that the communication is free of viruses, interceptions or
interference.
If you are not the intended recipient of this communication please return
the communication to the sender and delete and destroy all copies.
In carrying out its engagements, BeQubed applies general terms and
conditions, which contain a clause that limits its liability. A copy of
these terms and conditions is available on request free of charge.
==================================================================
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?DEEJKCBNGEENMLAHPCPEOEPLCGAA.robin>