From owner-freebsd-security Mon Jun 11 7:47:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from human.mail.nl.easynet.net (human.mail.nl.easynet.net [212.0.226.88]) by hub.freebsd.org (Postfix) with ESMTP id 0829937B409 for ; Mon, 11 Jun 2001 07:47:34 -0700 (PDT) (envelope-from robin@bequbed.com) Received: from b0l9005 (unknown [212.0.242.36]) by human.mail.nl.easynet.net (Postfix) with SMTP id 07D8AEAC2 for ; Mon, 11 Jun 2001 16:47:32 +0200 (MEST) From: "Robin Huiser" To: Subject: FW: ipfw, natd and routing question Date: Mon, 11 Jun 2001 16:47:29 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I hope someone can help me with this problem I'm trying to solve. I think the answer is trivial, but so far I 'm stuck. Our FreeBSD 4.2-STABLE firewall has three network cards as shown below: -- DMZ / EXT--FIREWALL--- \ -- LAN -The EXT interface: connected to the Internet, IP subnet x.x.242.32/240 -The DMZ interface: connected to our DMZ subnet, IP subnet x.x.242.48/240 -The LAN interface: connected to our LAN subnet, IP subnet 192.168.1.0/24 I use NAT to 'route' traffic from the LAN to the Internet I use ipfw rules to ROUTE traffic from the Internet to the DMZ subnet So far, so good. But... how do I prevent the NAT to 'translate' the IP addresses when a session is set up from the DMZ segment to a host somewhere on the Internet? I want all traffic to be routed from the DMZ subnet to the Internet... I've tried to alter the natd rule, without any success. The rules I tried didn't work or had bad side effects, so I moved back to the standard natd rule, but everything gets NAT-ed now... Some examples I tried: # # The rule below works, but the it causes TCP/IP timeouts and a *very* slow # connection between the DMZ and EXT subnets... # ${fwcmd} add divert natd all from not x.x.242.48:255.255.255.240 to any via ${natd_interface} # # The rule below doesn't work at all (?) Don't know why... # ${fwcmd} add divert natd all from 192.168.1.0:255.255.255.0 to any via ${natd_interface} Please advise... Cheers -- Robin __________________________________________________________________ Robin Huiser robin@bequbed.com BeQubed N.V. http://www.bequbed.com Veenwal 130 tel: +31 (30) 6023 626 (OFFICE) 3432 ZE +31 (6) 2061 9842 (MOBILE) Nieuwegein fax: +31 (30) 6586 090 The Netherlands __________________________________________________________________ ======================Confidential Disclaimer===================== The information contained in this communication is confidential and is intended solely for the use of the individual or entity to whom it is addressed. You should not copy, disclose or distribute this communication without the authority of BeQubed N.V. BeQubed is neither liable for the proper and complete transmission of the information contained in this communication nor for any delay in its receipt. BeQubed does not guarantee that the integrity of this communication has been maintained nor that the communication is free of viruses, interceptions or interference. If you are not the intended recipient of this communication please return the communication to the sender and delete and destroy all copies. In carrying out its engagements, BeQubed applies general terms and conditions, which contain a clause that limits its liability. A copy of these terms and conditions is available on request free of charge. ================================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message