From owner-freebsd-ipfw Tue Nov 23 13:37:51 1999 Delivered-To: freebsd-ipfw@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id A074F153BA for ; Tue, 23 Nov 1999 13:37:45 -0800 (PST) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA65129; Wed, 24 Nov 1999 08:35:11 +1100 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id IAA05162; Wed, 24 Nov 1999 08:36:56 +1100 (EST) Message-Id: <199911232136.IAA05162@tungsten.austclear.com.au> X-Mailer: exmh version 2.0.1 12/23/97 To: "Alexandr Gribenko" Cc: freebsd-ipfw@FreeBSD.ORG Subject: Re: IPFW and forward In-Reply-To: Your message of "Wed, 24 Nov 1999 11:26:12 +0200." <002e01bf365d$f58fe590$da0c08d5@AEG> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 24 Nov 1999 08:36:55 +1100 From: Tony Landells Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > I have common problem with some of my clients... > Let's say I have an inside network of 10.10.10.0/255 and outside of > 192.117.193.192/24 with CISCO at 192.117.193.193 > I have firewall with natd diverting all the packets at outside interface. > I use 192.117.193.194 and 10.10.10.1 for my BSD network interfaces > What do I whant to accomplish is to establish a server in inside network at, > say 10.10.10.2 that will get all the traffic for lets say 192.117.193.195 > I have packets for this IP routed from CISCO(192.117.193.193) to > 192.117.193.194 which is FreeBSD with ipfw I am talking about. > The question is HOW???? Is if fwd or divert. What the command will be??? This is divert with natd--use something like: -redirect_address 10.10.10.2 192.117.193.195 which will set up a "static" translation between those two addresses. Personally, if I'm using an internal system I'm more likely to restrict things to ONLY one or two services, so instead I'd have something like: -redirect_port tcp 10.10.10.2:80 192.117.193.195:80 if the internal system was running a Web server. Why do I prefer this? It means that an attack can only be launched on that system using HTTP (which is probably bad enough) even if I have a gaping hole in the rest of my ipfw rules--the packets have nowhere to go. If I just use "redirect_address", anything that gets through my ipfw rules will get to the internal system. Cheers, Tony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message