Date: Tue, 12 Jun 2001 13:57:03 -0700 From: John Keck <jkeck@NextLeft.COM> To: "'Robin Huiser'" <robin@bequbed.com>, freebsd-security@FreeBSD.ORG Subject: RE: ipfw, natd and routing question Message-ID: <40B05F13113ED411A91E00D0B71A7DAC127369@durban.sea.com>
next in thread | raw e-mail | index | archive | help
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C0F382.3B477250
Content-Type: text/plain;
charset="iso-8859-1"
The first case diverts incoming packets for the DMZ, which you don't want.
The second case fails to divert response packets for the inside, which you
do want. Try:
${fwcmd} add divert natd all from not x.x.242.48:255.255.255.240 to not
x.x.242.48:255.255.255.240
via ${natd_interface}
Hope this helps...
J. Keck
NextLeft, Inc.
San Diego, CA USA
jkeck@nextleft.com
-----Original Message-----
From: Robin Huiser [mailto:robin@bequbed.com]
Sent: Monday, June 11, 2001 7:47 AM
To: freebsd-security@FreeBSD.ORG
Subject: FW: ipfw, natd and routing question
Hi all,
I hope someone can help me with this problem I'm trying to solve. I think
the answer is trivial, but so far I 'm stuck.
Our FreeBSD 4.2-STABLE firewall has three network cards as shown below:
-- DMZ
/
EXT--FIREWALL---
\
-- LAN
-The EXT interface: connected to the Internet, IP subnet x.x.242.32/240
-The DMZ interface: connected to our DMZ subnet, IP subnet x.x.242.48/240
-The LAN interface: connected to our LAN subnet, IP subnet 192.168.1.0/24
I use NAT to 'route' traffic from the LAN to the Internet
I use ipfw rules to ROUTE traffic from the Internet to the DMZ subnet
So far, so good.
But... how do I prevent the NAT to 'translate' the IP addresses when a
session is set up from the DMZ segment to a host somewhere on the Internet?
I want all traffic to be routed from the DMZ subnet to the Internet...
I've tried to alter the natd rule, without any success.
The rules I tried didn't work or had bad side effects, so I moved back to
the standard natd rule, but everything gets NAT-ed now...
Some examples I tried:
#
# The rule below works, but the it causes TCP/IP timeouts and a *very* slow
# connection between the DMZ and EXT subnets...
#
${fwcmd} add divert natd all from not x.x.242.48:255.255.255.240 to any
via ${natd_interface}
#
# The rule below doesn't work at all (?) Don't know why...
#
${fwcmd} add divert natd all from 192.168.1.0:255.255.255.0 to any via
${natd_interface}
Please advise...
Cheers -- Robin
__________________________________________________________________
Robin Huiser robin@bequbed.com
BeQubed N.V. http://www.bequbed.com
Veenwal 130 tel: +31 (30) 6023 626 (OFFICE)
3432 ZE +31 (6) 2061 9842 (MOBILE)
Nieuwegein fax: +31 (30) 6586 090
The Netherlands
__________________________________________________________________
======================Confidential Disclaimer=====================
The information contained in this communication is confidential and is
intended solely for the use of the individual or entity to whom it is
addressed. You should not copy, disclose or distribute this communication
without the authority of BeQubed N.V. BeQubed is neither liable for the
proper and complete transmission of the information contained in this
communication nor for any delay in its receipt.
BeQubed does not guarantee that the integrity of this communication has been
maintained nor that the communication is free of viruses, interceptions or
interference.
If you are not the intended recipient of this communication please return
the communication to the sender and delete and destroy all copies.
In carrying out its engagements, BeQubed applies general terms and
conditions, which contain a clause that limits its liability. A copy of
these terms and conditions is available on request free of charge.
==================================================================
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
------_=_NextPart_001_01C0F382.3B477250
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2653.12">
<TITLE>RE: ipfw, natd and routing question</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2>The first case diverts incoming packets for the DMZ, =
which you don't want. The second case fails to divert response =
packets for the inside, which you do want. Try:</FONT></P>
<P><FONT SIZE=3D2> ${fwcmd} add divert natd all from not =
x.x.242.48:255.255.255.240 to not x.x.242.48:255.255.255.240</FONT>
<BR><FONT SIZE=3D2>via ${natd_interface}</FONT>
</P>
<P><FONT SIZE=3D2>Hope this helps...</FONT>
<BR><FONT SIZE=3D2>J. Keck</FONT>
<BR><FONT SIZE=3D2>NextLeft, Inc.</FONT>
<BR><FONT SIZE=3D2>San Diego, CA USA</FONT>
<BR><FONT SIZE=3D2>jkeck@nextleft.com</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Robin Huiser [<A =
HREF=3D"mailto:robin@bequbed.com">mailto:robin@bequbed.com</A>]</FONT>
<BR><FONT SIZE=3D2>Sent: Monday, June 11, 2001 7:47 AM</FONT>
<BR><FONT SIZE=3D2>To: freebsd-security@FreeBSD.ORG</FONT>
<BR><FONT SIZE=3D2>Subject: FW: ipfw, natd and routing question</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>Hi all,</FONT>
</P>
<P><FONT SIZE=3D2>I hope someone can help me with this problem I'm =
trying to solve. I think</FONT>
<BR><FONT SIZE=3D2>the answer is trivial, but so far I 'm stuck.</FONT>
</P>
<P><FONT SIZE=3D2>Our FreeBSD 4.2-STABLE firewall has three network =
cards as shown below:</FONT>
</P>
<P><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; -- DMZ</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; /</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; EXT--FIREWALL---</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; \</FONT>
<BR><FONT =
SIZE=3D2> &nb=
sp; &nb=
sp; -- LAN</FONT>
</P>
<P><FONT SIZE=3D2>-The EXT interface: connected to the Internet, IP =
subnet x.x.242.32/240</FONT>
<BR><FONT SIZE=3D2>-The DMZ interface: connected to our DMZ subnet, IP =
subnet x.x.242.48/240</FONT>
<BR><FONT SIZE=3D2>-The LAN interface: connected to our LAN subnet, IP =
subnet 192.168.1.0/24</FONT>
</P>
<P><FONT SIZE=3D2>I use NAT to 'route' traffic from the LAN to the =
Internet</FONT>
<BR><FONT SIZE=3D2>I use ipfw rules to ROUTE traffic from the Internet =
to the DMZ subnet</FONT>
</P>
<P><FONT SIZE=3D2>So far, so good.</FONT>
</P>
<P><FONT SIZE=3D2>But... how do I prevent the NAT to 'translate' the IP =
addresses when a</FONT>
<BR><FONT SIZE=3D2>session is set up from the DMZ segment to a host =
somewhere on the Internet?</FONT>
<BR><FONT SIZE=3D2>I want all traffic to be routed from the DMZ subnet =
to the Internet...</FONT>
</P>
<P><FONT SIZE=3D2>I've tried to alter the natd rule, without any =
success.</FONT>
<BR><FONT SIZE=3D2>The rules I tried didn't work or had bad side =
effects, so I moved back to</FONT>
<BR><FONT SIZE=3D2>the standard natd rule, but everything gets NAT-ed =
now...</FONT>
</P>
<P><FONT SIZE=3D2>Some examples I tried:</FONT>
</P>
<P><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2># The rule below works, but the it causes TCP/IP =
timeouts and a *very* slow</FONT>
<BR><FONT SIZE=3D2># connection between the DMZ and EXT =
subnets...</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2>${fwcmd} add divert natd all from not =
x.x.242.48:255.255.255.240 to any</FONT>
<BR><FONT SIZE=3D2>via ${natd_interface}</FONT>
</P>
<P><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2># The rule below doesn't work at all (?) Don't know =
why...</FONT>
<BR><FONT SIZE=3D2>#</FONT>
<BR><FONT SIZE=3D2>${fwcmd} add divert natd all from =
192.168.1.0:255.255.255.0 to any via</FONT>
<BR><FONT SIZE=3D2>${natd_interface}</FONT>
</P>
<BR>
<P><FONT SIZE=3D2>Please advise...</FONT>
</P>
<P><FONT SIZE=3D2>Cheers -- Robin</FONT>
</P>
<P><FONT =
SIZE=3D2>_______________________________________________________________=
___</FONT>
</P>
<P><FONT SIZE=3D2>Robin =
Huiser =
=
robin@bequbed.com</FONT>
<BR><FONT SIZE=3D2>BeQubed =
N.V. &n=
bsp; <A =
HREF=3D"http://www.bequbed.com" =
TARGET=3D"_blank">http://www.bequbed.com</A></FONT>;
</P>
<P><FONT SIZE=3D2>Veenwal =
130 &nb=
sp; tel: =
+31 (30) 6023 626 (OFFICE)</FONT>
<BR><FONT SIZE=3D2>3432 =
ZE &nbs=
p; &nbs=
p; +31 (6) 2061 9842 =
(MOBILE)</FONT>
<BR><FONT =
SIZE=3D2>Nieuwegein  =
;  =
; fax: +31 (30) 6586 090</FONT>
<BR><FONT SIZE=3D2>The Netherlands</FONT>
<BR><FONT =
SIZE=3D2>_______________________________________________________________=
___</FONT>
</P>
<BR>
<P><FONT =
SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3DConfidential =
Disclaimer=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
</FONT>
</P>
<P><FONT SIZE=3D2>The information contained in this communication is =
confidential and is</FONT>
<BR><FONT SIZE=3D2>intended solely for the use of the individual or =
entity to whom it is</FONT>
<BR><FONT SIZE=3D2>addressed. You should not copy, disclose or =
distribute this communication</FONT>
<BR><FONT SIZE=3D2>without the authority of BeQubed N.V. BeQubed is =
neither liable for the</FONT>
<BR><FONT SIZE=3D2>proper and complete transmission of the information =
contained in this</FONT>
<BR><FONT SIZE=3D2>communication nor for any delay in its =
receipt.</FONT>
<BR><FONT SIZE=3D2>BeQubed does not guarantee that the integrity of =
this communication has been</FONT>
<BR><FONT SIZE=3D2>maintained nor that the communication is free of =
viruses, interceptions or</FONT>
<BR><FONT SIZE=3D2>interference.</FONT>
</P>
<P><FONT SIZE=3D2>If you are not the intended recipient of this =
communication please return</FONT>
<BR><FONT SIZE=3D2>the communication to the sender and delete and =
destroy all copies.</FONT>
</P>
<P><FONT SIZE=3D2>In carrying out its engagements, BeQubed applies =
general terms and</FONT>
<BR><FONT SIZE=3D2>conditions, which contain a clause that limits its =
liability. A copy of</FONT>
<BR><FONT SIZE=3D2>these terms and conditions is available on request =
free of charge.</FONT>
<BR><FONT =
SIZE=3D2>=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D</FONT>
</P>
<BR>
<BR>
<P><FONT SIZE=3D2>To Unsubscribe: send mail to =
majordomo@FreeBSD.org</FONT>
<BR><FONT SIZE=3D2>with "unsubscribe freebsd-security" in the =
body of the message</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C0F382.3B477250--
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?40B05F13113ED411A91E00D0B71A7DAC127369>