Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 24 Nov 1999 08:36:55 +1100
From:      Tony Landells <ahl@austclear.com.au>
To:        "Alexandr Gribenko" <aeg@iname.com>
Cc:        freebsd-ipfw@FreeBSD.ORG
Subject:   Re: IPFW and forward 
Message-ID:  <199911232136.IAA05162@tungsten.austclear.com.au>
In-Reply-To: Your message of "Wed, 24 Nov 1999 11:26:12 %2B0200." <002e01bf365d$f58fe590$da0c08d5@AEG>
next in thread | previous in thread | raw e-mail | index | archive | help 
> I have common problem with some of my clients...
> Let's say I have an inside network of 10.10.10.0/255 and outside of
> 192.117.193.192/24 with CISCO at 192.117.193.193
> I have firewall with natd diverting all the packets at outside interface.
> I use 192.117.193.194 and 10.10.10.1 for my BSD network interfaces
> What do I whant to accomplish is to establish a server in inside network at,
> say 10.10.10.2 that will get all the traffic for lets say 192.117.193.195
> I have packets for this IP routed from CISCO(192.117.193.193)  to
> 192.117.193.194 which is FreeBSD with ipfw I am talking about.
> The question is HOW???? Is if fwd or divert. What the command will be???

This is divert with natd--use something like:

	-redirect_address 10.10.10.2 192.117.193.195

which will set up a "static" translation between those two addresses.

Personally, if I'm using an internal system I'm more likely to restrict
things to ONLY one or two services, so instead I'd have something like:

	-redirect_port tcp 10.10.10.2:80 192.117.193.195:80

if the internal system was running a Web server.

Why do I prefer this?  It means that an attack can only be launched on
that system using HTTP (which is probably bad enough) even if I have a
gaping hole in the rest of my ipfw rules--the packets have nowhere to
go.  If I just use "redirect_address", anything that gets through my
ipfw rules will get to the internal system.

Cheers,
Tony



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911232136.IAA05162>