Date: Thu, 03 Feb 2000 08:02:03 -0500 From: Matthew Hagerty <matthew@venux.net> To: freebsd-isp@FreeBSD.ORG Subject: IPFW with NATd Message-ID: <4.2.2.20000203080148.00abd8a0@mail.venux.net>
next in thread | raw e-mail | index | archive | help
Greetings,
I am running NATd and IPFW on FreeBSD-3.4-Release as a dual-homed packet
filter gateway for my internal network (assigned 10.0.0.0) and a perimeter
network with real IP assignment.
I was wondering if it is possible to split the divert rule of IPFW so that
I can have my rules apply to the internal addresses? The initial IPFW
rule, when NATd is used, is the first one in the list, like this (from
rc.firewall):
$fwcmd add divert natd all from any to any via ${natd_interface}
From what I understand of the man page, this hands all packets to NATd for
translation prior to the rest of the rules. So my IPFW rules will only see
the external (real) IP address for all hosts on the internal network. I.e.
if host 10.0.0.10 tries to send a packet, the first IPFW rule is the divert
which will change the address to the external IP, so the only address I
have to work with in the IPFW rules is the real external IP.
What I would like to be able to do is have rules that I can base on the
internal IP addresses. I started to experiment with this a little, this is
what I tried:
$fwcmd add divert natd all from ${onet}:${omask} to any in via ${oif}
.
.
.
IPFW rules here have both sets of IP addresses, real addresses and fake to
work with.
.
.
.
$fwcmd add divert natd all from ${inet}:${imask} to any out via ${oif}
So in essence the incoming packets from the real world get sent through
NATd prior to the rules and outgoing packets from the internal network get
sent through NATd last, after the rules.
This (I was hoping) would allow me to make rules based on certain internal
hosts, i.e. my internal DNS host needs to talk to my external fake DNS on
the bastion host, but no other internal host should be allowed to query the
external DNS (bastion) host directly, unless a rule is written specifically
for it.
I did actually get this to work with the DNS example, my fake DNS on the
external network could communicate with the internal DNS and
vice-versa. But when I tried to add a rule to allow the rest of the
internal hosts to surf, etc. it broke. The only error I got was a "can't
send packet back" error on the terminal.
Any insight on this would be greatly appreciated.
Thanks,
Matthew Hagerty
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4.2.2.20000203080148.00abd8a0>