From owner-freebsd-security Wed May 15 7:17:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com (CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com [24.103.39.131]) by hub.freebsd.org (Postfix) with SMTP id 839E237B405 for ; Wed, 15 May 2002 07:17:07 -0700 (PDT) Received: (qmail 1728 invoked from network); 15 May 2002 14:18:06 -0000 Received: from unknown (HELO vsivyoung) (66.46.21.253) by cpe0004761ac738-cm00109515bc65.cpe.net.cable.rogers.com with SMTP; 15 May 2002 14:18:06 -0000 Message-ID: <004701c1fc1b$7e4d3470$c801a8c0@vsivyoung> From: "Miroslav Pendev" To: "Neil Blakey-Milner" Cc: References: <030301c1fb56$ef9fefc0$c801a8c0@vsivyoung> <005501c1fb70$bb32ebb0$01000001@aragon> <042e01c1fb75$048699c0$c801a8c0@vsivyoung> <001101c1fb79$de1aafb0$01000001@aragon> <046401c1fb7d$4d0f32d0$c801a8c0@vsivyoung> <20020514194311.GA89260@mithrandr.moria.org> Subject: Re: ipfw + nat + port_redirect - works, but not for the internal net Date: Wed, 15 May 2002 10:19:14 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Tue 2002-05-14 (15:26), Miroslav Pendev wrote: > > Hi Aragon, thanks for the info > > I will take a look at data(and sock)pipe. > > > > > Personally, what I'd do is simply connect directly to 192.168.1.100 instead > > > of trying to go via your freebsd gateway. > > > > Yes, the direct access to 192.168.1.100:80 is Ok! > > But here is what I have: > > > > Web server in *Internet* is serving web pages with some forms and then > > the data is sent to the internal (behind the firewall) > > apache + php server. > > Everithing work just perfect for the clients > > (hosts from internet) but it doesnt work for the people > > in the internal network. I do not want to make a miror > > site only because I dont know (for now) how to get this > > working. > > > > Thanks anyway! > > Basically, I think you just need to make sure you NAT the traffic > arriving on the internal interface. > > For example, if you have: > > add 7000 divert natd ip from any to any via ${extif} > > You probably need: > > add 7000 divert natd ip from any to any via ${extif} > add 7005 divert natd ip from any to any via ${intif} > > I could be entirely wrong, but this works for me in about 12 > installations. > > Just make sure you're using 'unregistered_only', or some things get a > bit confusing - "double NAT" causing all traffic to end up being from > the alias address, not the specific redirect_address. > Hi Guys! That did it!!! It works. I dont know if this is the *right way* for that problem but it works! Thanks to all of you guys for the advices that I did (or didn't;) try! For the people looking for the answer of the same problem in the mail archives - here is what I have in rc.firewall (in my firewall type): # this is the default entry for NAT to work ${fwcmd} add divert natd all from any to any via ${natd_interface} # the new row for the internal hosts - thanks Neil ${fwcmd} add divert natd ip from any to any via ${iif} ------------- I was able to redirect two ports: 21 -> 21 and 9090 -> 80 The redirection works for both ftp and http, Vladimir, thanks for your advice, anyway! There is some other ways to get *this* working but I do not have the time to try now! May be this weekend ;-) who knows... If some IPFW - NAT guru is reading this: I will appreciate his opinion! So far I do not know better way... Can we put the answer of this into FreeBSD Handbook - or at least into FAQs? Thanks, one more time, for your time guys! Neil!, Vladimir, Carroll, Aragon, Michael (did I forgot somebody;)! --Miro "That's all folks!..." Have a nice IP Firewall-ing... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message