Date: Sun, 10 Aug 2003 22:57:29 +0100 From: Stacey Roberts <stacey@vickiandstacey.com> To: Johannes Angeldorff <johannes2@smartnet.se> Cc: FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: ipfw / natd does not allow lan traffic to reach external numbers Message-ID: <1060552648.32578.65.camel@localhost> In-Reply-To: <a05200f04bb596ccc3dcf@[192.168.0.3]> References: <a05200f04bb596ccc3dcf@[192.168.0.3]>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, On Sun, 2003-08-10 at 22:38, Johannes Angeldorff wrote: > Hi, > > I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here > a list with some details: > > *) The FreeBSD box uses natd and ipfw, and have two external IP:s, > lets say aaa.bbb.ccc.20 and ddd.eee.fff.21. > > *) natd is used to redirect access to external IP addresses and ports > to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21, > where for example webservers are located. > > *) natd rules: > > natd_flags="-redirect_address 192.168.0.20 aaa.bbb.ccc.20 > -redirect_port tcp 192.168.0.21:25-52 25-52 > -redirect_port udp 192.168.0.21:25-52 25-52 > -redirect_port tcp 192.168.0.30:80 80 > -redirect_port udp 192.168.0.30:80 80 > -redirect_port tcp 192.168.0.21:54-79 54-79 > -redirect_port udp 192.168.0.21:54-79 54-79 > -redirect_port tcp 192.168.0.21:81-722 81-722 > -redirect_port udp 192.168.0.21:81-722 81-722 > -redirect_port tcp 192.168.0.21:3306-4559 3306-4559 > -redirect_port udp 192.168.0.21:3306-4559 3306-4559" > > *) ipfw lets things through: > > 00050 divert 8668 ip from any to any via fxp0 > 00100 allow ip from any to any via lo0 > 00200 deny ip from any to 127.0.0.0/8 > 00300 deny ip from 127.0.0.0/8 to any > 65000 allow ip from any to any > 65535 allow ip from any to any > > Problem: > Most things works just fine, external access are redirected to > correct ports, and the webservers work just fine. BUT the problem > comes when a box on the LAN tries to reach a site residing on > 192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. Then I get > error: "Unable to connect to remote host". Connecting from a LAN > machine to the same site using the _internal_ IP works fine. > Connecting to other external IPs also works fine. > > I want to be able to connect from LAN boxes to the external IP:s, for > example aaa.bbb.ccc.20. Can anyone lead me on the way...? Very > thankful for all comments on this matter. > This is not possible. You have to use another host external to your local network in order to access / view services via their respective public IP's, or continue to access them via their defined RFC1918 addresses. One another note, if access via public IP isn't a strict requirement, there is the "views" functionality in Bind9 that (once set up properly) would allow you to access, say hosted websites, via their WWW addresses from internal hosts .., Regards, Stacey > Regards, > Smartnet Sverige AB > > Johannes Angeldorff > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- Stacey Roberts B.Sc (HONS) Computer Science Web: www.vickiandstacey.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1060552648.32578.65.camel>