From owner-freebsd-ipfw@FreeBSD.ORG Fri Mar 19 19:23:33 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5664416A4CE; Fri, 19 Mar 2004 19:23:33 -0800 (PST) Received: from mail001.syd.optusnet.com.au (mail001.syd.optusnet.com.au [211.29.132.142]) by mx1.FreeBSD.org (Postfix) with ESMTP id 682D043D1D; Fri, 19 Mar 2004 19:23:31 -0800 (PST) (envelope-from tfrank@optushome.com.au) Received: from marvin.home.local (c211-28-241-126.eburwd5.vic.optusnet.com.au [211.28.241.126])i2K3NSo06438; Sat, 20 Mar 2004 14:23:29 +1100 Received: by marvin.home.local (Postfix, from userid 1001) id 9C3031FB81; Sat, 20 Mar 2004 14:23:28 +1100 (EST) Date: Sat, 20 Mar 2004 14:23:28 +1100 From: Tony Frank To: ktulu@net2000.com.au Message-ID: <20040320032328.GA66773@marvin.home.local> References: <1079670127.405a756f4bafe@secure.net2000.com.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1079670127.405a756f4bafe@secure.net2000.com.au> User-Agent: Mutt/1.4.2.1i cc: freebsd-net@freebsd.org cc: freebsd-ipfw@freebsd.org Subject: Re: port forwarding and ipfw rules X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Mar 2004 03:23:33 -0000 Hi there, On Fri, Mar 19, 2004 at 03:22:07PM +1100, ktulu@net2000.com.au wrote: > Hi All, > > I have posted this question before, but I don't think I made myself very clear > in what I was hoping to achieve. Hopefully, this post will help out. > > I have a situation where I have one network interface (fxp1) connected to the > network with the IP address xxx.xxx.19.110 which is port forwarding (on port > 443) to a host xxx.xxx.19.109. Currently, this situation works fine. > > The problem I'm having is that I have two of these machines doing the same thing > and I require the ability for one machine to take over from the other in the > event of a hardware failure, etc. The diagram below basically shows what I want > to achieve: > > > Internet > ---------- > | > | > | > fxp1 | fxp1 > .19.110 | .19.111 > | (alias) > | > ----------------- > | FW | > | Default route | > | xx.xx.19.225 | > | | > ----------------- > | > / \ > fxp1 / \ fxp1 > .19.110/ \.19.111 (alias) > / \ > / \ > / \ > / \ > / \ > / \ > / \ > ----- ----- > | | | | > | | | | > | | | | > | | | | > ----- ----- > Web Server Web Server > x.x.19.109:443 x.x.19.102:443 fxp1 seems to be very busy in this picture. My understanding is that you want to do: 1. redirect any connections to .19.110:443 to .19.109:443 2. redirect any connections to .19.111:443 to .19.102:443 Assuming your uplink is sending traffic for .19.110 and .19.111 to your interface (fxp1) (You can do this by aliasing 111 to the 110 interface as you already indicated) You just need a natd.conf with something like this in it: redirect_port tcp .19.109:443 .19.110:443 redirect_port tcp .19.102:443 .19.111:443 I got it going with similar kind of setup. In my case I used port 80 and tried to get network setup as I understand your description, something like the below: (internet) | public IP +------+ | fxp0 | In my case this one runs natd/squid | ext. | so all queries to internal net appear to | f/w | originate from .10 | fxp2 | +------+ | .10 +---+------+---------+ .110 | .111 | .109 | .102 +------+ +------+ +------+ | fxp0 | | fxp0 | | fxp0 | | g/w | | www1 | | www2 | +------+ +------+ +------+ g/w is running ipfw + natd to divert traffic www1 and www2 are simple servers running apache tcpdump shows: 1. syn packet comes in to 110:80 2. syn packet is sent out to 109:80 (rewritten by natd to appear from 110:80) 3. syn+ack comes back to 110 4. 110 forwards back to original source and so on for the rest of the connection. Same deal for traffic to 111 (tcpdump output below) Note: www1 and www2 see the traffic as originating from .110 and reply appropriately. .110 sends it all to natd which replaces the IP headers so the reply traffic has source either .110 or .111 depending on where the request came from. Also my g/w (.110) is currently 5.2.1 but the config should be same for 4.9. Details follow: /etc/natd.conf: log yes dynamic yes log_denied yes deny_incoming no use_sockets yes same_ports yes target_address 255.255.255.255 log_ipfw_denied yes redirect_port tcp 192.168.200.109:80 192.168.200.110:80 redirect_port tcp 192.168.200.102:80 192.168.200.111:80 ifconfig -a: midway# ifconfig -a fxp0: flags=8943 mtu 1500 inet 192.168.200.110 netmask 0xffffff00 broadcast 192.168.200.255 inet 192.168.200.111 netmask 0xffffffff broadcast 192.168.200.111 ether 00:06:29:f1:82:72 media: Ethernet autoselect (100baseTX ) status: active plip0: flags=8810 mtu 1500 lo0: flags=8049 mtu 16384 inet 127.0.0.1 netmask 0xff000000 ipfw rules: 00050 216691 60715152 divert 8668 ip from any to any via fxp0 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65000 212716 60372772 allow ip from any to any 65535 0 0 deny ip from any to any tcpdumps of the traffic: 13:47:25.595348 192.168.200.10.3881 > 192.168.200.110.80: S 642583182:642583182(0) win 65535 (DF) 13:47:25.596052 192.168.200.110.3881 > 192.168.200.109.80: S 642583182:642583182(0) win 65535 (DF) 13:47:25.596121 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.109 to host 192.168.200.109 (DF) 13:47:25.596495 192.168.200.109.80 > 192.168.200.110.3881: S 1971745869:1971745869(0) ack 642583183 win 65535 (DF) 13:47:25.596712 192.168.200.110.80 > 192.168.200.10.3881: S 1971745869:1971745869(0) ack 642583183 win 65535 (DF) 13:47:25.596791 192.168.200.110 > 192.168.200.109: icmp: redirect 192.168.200.10 to host 192.168.200.10 (DF) 13:47:25.596847 192.168.200.10.3881 > 192.168.200.110.80: . ack 1 win 33304 (DF) 13:47:25.597035 192.168.200.110.3881 > 192.168.200.109.80: . ack 1 win 33304 (DF) 13:47:25.597098 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.109 to host 192.168.200.109 (DF) 13:47:25.597211 192.168.200.10.3881 > 192.168.200.110.80: P 1:509(508) ack 1 win 33304 (DF) 13:47:25.597415 192.168.200.110.3881 > 192.168.200.109.80: P 1:509(508) ack 1 win 33304 (DF) 13:47:25.597480 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.109 to host 192.168.200.109 (DF) 13:47:25.616863 192.168.200.109.80 > 192.168.200.110.3881: P 1:274(273) ack 509 win 33304 (DF) 13:47:25.617161 192.168.200.110.80 > 192.168.200.10.3881: P 1:274(273) ack 509 win 33304 (DF) 13:47:25.617227 192.168.200.110 > 192.168.200.109: icmp: redirect 192.168.200.10 to host 192.168.200.10 (DF) 13:47:25.716982 192.168.200.10.3881 > 192.168.200.110.80: . ack 274 win 33304 (DF) 13:47:25.717368 192.168.200.110.3881 > 192.168.200.109.80: . ack 274 win 33304 (DF) 13:47:25.717436 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.109 to host 192.168.200.109 (DF) 13:49:48.703004 192.168.200.10.3882 > 192.168.200.111.80: S 3017889378:3017889378(0) win 65535 (DF) 13:49:48.703591 192.168.200.110.3882 > 192.168.200.102.80: S 3017889378:3017889378(0) win 65535 (DF) 13:49:48.703680 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.102 to host 192.168.200.102 (DF) 13:49:48.703941 192.168.200.102.80 > 192.168.200.110.3882: S 33897141:33897141(0) ack 3017889379 win 65535 (DF) 13:49:48.704137 192.168.200.111.80 > 192.168.200.10.3882: S 33897141:33897141(0) ack 3017889379 win 65535 (DF) 13:49:48.704201 192.168.200.110 > 192.168.200.102: icmp: redirect 192.168.200.10 to host 192.168.200.10 (DF) 13:49:48.704270 192.168.200.10.3882 > 192.168.200.111.80: . ack 1 win 33304 (DF) 13:49:48.704458 192.168.200.110.3882 > 192.168.200.102.80: . ack 1 win 33304 (DF) 13:49:48.704521 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.102 to host 192.168.200.102 (DF) 13:49:48.704636 192.168.200.10.3882 > 192.168.200.111.80: P 1:509(508) ack 1 win 33304 (DF) 13:49:48.704839 192.168.200.110.3882 > 192.168.200.102.80: P 1:509(508) ack 1 win 33304 (DF) 13:49:48.704904 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.102 to host 192.168.200.102 (DF) 13:49:48.718553 192.168.200.102.80 > 192.168.200.110.3882: P 1:274(273) ack 509 win 33304 (DF) 13:49:48.718844 192.168.200.111.80 > 192.168.200.10.3882: P 1:274(273) ack 509 win 33304 (DF) 13:49:48.718910 192.168.200.110 > 192.168.200.102: icmp: redirect 192.168.200.10 to host 192.168.200.10 (DF) 13:49:48.818588 192.168.200.10.3882 > 192.168.200.111.80: . ack 274 win 33304 (DF) 13:49:48.818947 192.168.200.110.3882 > 192.168.200.102.80: . ack 274 win 33304 (DF) 13:49:48.819014 192.168.200.110 > 192.168.200.10: icmp: redirect 192.168.200.102 to host 192.168.200.102 (DF) > This configuration must be able to be added and removed dynamically without > effecting the existing network setup (other than changing ipfw rules). Below > are the relevant sections of my current configuration settings: Should be able to do this by using ifconfig to add/remove an alias on the interface. There are various tools in ports to do this automatically. If the mappings are static, you should be able to have all combinations defined in a standard natd config file. Hope it helps, Tony