Date: Thu, 02 Aug 2007 19:51:53 +0200 From: Gabriele Cecchetti <gabriele@sssup.it> To: freebsd-ipfw@freebsd.org, Luigi Rizzo <rizzo@icir.org> Subject: ipfw natd and carp for redundant server Message-ID: <46B219B9.2060706@sssup.it>
next in thread | raw e-mail | index | archive | help
Hi!
I had setup the following network:
|- ServerF2 (if_wan0: 0x.y.z.2)
Internet_Router|---| (if_carp0: x.y.z.6)
| |- ServerF3 (if_wan0: x.y.z.3)
|
|------ServerG (if_lan0: 10.30.3.x)
Server F2 and F3 have a carp interface
configured for (high) avaibility,
with address x.y.z.6
Server F2 and F3 have a Web server which listen on port 80.
I need to reach some services of internal servel from outside network
(es. ssh, cvs, etc.)
What I have done in /etc/ipfw.rules:
(It is not a secure configuration! Just to the test what I need!)
#
flush
#
# Setup loopback
#
add 100 pass all from any to any via lo0
add 200 deny all from any to 127.0.0.0/8
add 300 deny ip from 127.0.0.0/8 to any
#
# Allow important services through unmodified address and ports
#
add 900 allow tcp from any to any 80,443
#
# Divert
#
add 1100 divert natd ip4 from any to any via wan0
#
# Default: allow everything
#
add 65000 allow ip from any to any
and for /etc/natd.conf
#
interface wan0
same_ports
use_sockets
log
#
# Server G
#
redirect_port tcp 10.30.3.4:22 44022
redirect_port tcp 10.30.3.4:993 44993
redirect_port tcp 10.30.3.4:2401 2401
redirect_port tcp 10.30.3.4:9418 9418
######################################
With this configuration I reach the serverG from Internet just
if I use the address x.y.z.2 (or x.y.z.3 which is a clone of the .2
machine).
I would like to reach the serverG with the address x.y.z.6 which is the
common redundant address.
Any idea or suggestion ?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?46B219B9.2060706>