Date: Sun, 8 Aug 2004 18:43:21 -0400 From: mailist@whoweb.com To: <freebsd-questions@freebsd.org> Subject: Re: IPFW/NATD Transparent Proxy Message-ID: <200408081843.21513.mailist@whoweb.com> In-Reply-To: <MIEPLLIBMLEEABPDBIEGGELBGIAA.Barbish3@adelphia.net> References: <MIEPLLIBMLEEABPDBIEGGELBGIAA.Barbish3@adelphia.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 08 August 2004 04:38 pm, JJB wrote: > A new rewrite of the FreeBSD handbook firewall section is currently > being made ready for update to the handbook. You can get an > in-process copy from www.a1poweruser.com/FBSD_firewall/ The firewall rewrite only deals with a single public nic and a single internal nic and does not have the information I require. > From what you posted looks like you want public internet users to > access web server on one of your LAN machines. Both ipfw and > ipfilter does this normally with port redirect. No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when they request 1.2.3.4:80, where 1.2.3.4 is a PUBLIC ip number on the FreeBSD internet gateway. Again, the configuration is de0 = PUBLIC IP = 1.2.3.4 de1 = 192.168.1.1 de2 = 192.168.2.1 I don't have a problem with incoming requests for 1.2.3.4:80 from the Internet being redirected to 192.168.2.250. That works fine. But I want someone on 192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the public address 1.2.3.4:80. Put another way, I have a FreeBSD server acting as a Router/Firewall. It has a public interface with an IP number of 1.2.3.4 and is assigned the DNS name www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a private address space of 192.168.1.0/255.255.255.0 and a third NIC that supports a private address space of 192.168.2.0/255.255.255.0 When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com they get redirected to 192.168.2.250 because I've included a redirect_port rule for NATD. This works fine. But, users on all private networks (I have two, but there could be 20) also need to be redirected to 192.168.2.250 when they try to go to www.ishouldhaveusedipfilter.com So the user sitting at 192.168.1.247 shouldn't have to worry about putting in the IP number of the company web server, they should just be able to put in the company domain name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250 just like anyone coming from the outside. > You need to post > more info about your system config. > Post the full contents of your rc.conf and firewall rules files. My rc.conf file is properly configured and has no bearing on my question. My gateway works fine from public to private IP space and private to public IP space. I've tried so many combination of rules and NATD options that I wouldn't know what to post. What I need is someone who has completed a similar configuration to send me their configuration (change the IP numbers if you like). From what I can see, I don't believe this is possible with stateful rules. Let me add that I've been successful with stateless rules, but I'd like to use 100% stateful if possible. > > The limit you write about ipfilter is not true. > > -----Original Message----- > From: owner-freebsd-questions@freebsd.org > [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of > mailist@whoweb.com > Sent: Sunday, August 08, 2004 2:11 PM > To: freebsd-questions@freebsd.org > Subject: IPFW/NATD Transparent Proxy > > > Anyone up for a challenge? > > I've come to the conclusion that IPFW/NATD cannot support > transparent > proxying with ONLY stateful rules. I'd like to hear from anyone who > has > been successful doing so in case I'm missing something. > > Configuration is: > FreeBSD 5.2.1 > 3 - NICS (de0, de1, de2) > de1 = Public IP = 1.2.3.4 > de2 = LAN1 = 192.168.1.0 > de3 = LAN2 = 192.168.2.0 > > The challenge: > 1) TCP request from 192.168.1.247 to 1.2.3.4:80 > 2) Redirect 1.2.3.4:80 to 192.168.2.250:80 > 3) Use stateful rules > > On another note, I read somewhere on the Internet that IPFILTER has > a > limitation in that it cannot redirect a public destination to a > private > destination if the source machine is on the same subnet as the > redirected > destination. In other words, the following supposedly will not > work: > 1) A tcp request from 192.168.1.247 to 1.2.3.4:80 > 2) Redirect 1.2.3.4:80 to 192.168.1.100:80 > > Is this an accurate limitation of IPFILTER? > > > > J > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to > "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200408081843.21513.mailist>