From owner-freebsd-net@FreeBSD.ORG Thu Sep 29 18:09:23 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D10DB106566C for ; Thu, 29 Sep 2011 18:09:23 +0000 (UTC) (envelope-from marek_sal@wp.pl) Received: from mx4.wp.pl (mx4.wp.pl [212.77.101.8]) by mx1.freebsd.org (Postfix) with ESMTP id 465BF8FC14 for ; Thu, 29 Sep 2011 18:09:22 +0000 (UTC) Received: (wp-smtpd smtp.wp.pl 29508 invoked from network); 29 Sep 2011 20:09:20 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wp.pl; s=1024a; t=1317319760; bh=UzhcJfX13XeQ15CSUBXNYlqtEk+baUa6dRXs4g68ko4=; h=From:To:Subject; b=OTPYcAavReoPORBFexWkehEv3ZdgzPeAkum7/l8hrRY2lCsaRf/mySA6h5wfro5iR yNUVUlJq6BXPut/xOBRMXywD+zCvUTbBycKY0acfh6bZ8wDb7xgUncXdVKdTD+vYpL JxcYRkA8UyF5uMCzpx+FreiWbv6L3hKf2obXmUH8= Received: from cwx170.internetdsl.tpnet.pl (HELO [10.0.0.15]) (marek_sal@[83.19.131.170]) (envelope-sender ) by smtp.wp.pl (WP-SMTPD) with SMTP for ; 29 Sep 2011 20:09:20 +0200 Message-ID: <4E84B447.7010509@wp.pl> Date: Thu, 29 Sep 2011 20:09:11 +0200 From: Marek Salwerowicz User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0) Gecko/20110922 Thunderbird/7.0 MIME-Version: 1.0 To: Freddie Cash , freebsd-net@freebsd.org References: <4E412116.1070305@wp.pl> <4E422A74.3090601@wp.pl> <4E7B450F.5050802@wp.pl> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A. X-WP-SPAM: NO 0000000 [0TOk] Cc: Subject: Re: ipfw - accessing DMZ from LAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2011 18:09:24 -0000 W dniu 2011-09-26 21:20, Freddie Cash pisze: > > Your rules are too generic, they will not work for a double-NAT setup. > Each and every single rule must specify the network interface. And it must > specify whether it's incoming (in recv) or outgoing (out xmit) traffic. > Don't use "via" anywhere. > > While it's easier to use generic rules to start with, you really need to get > very specific, at least for the double-NAT setup. > > See my example above. > I look at it but I have problems with understanding the rules. So far I understand the double-NAT like: 1. There are two NAT instances, one for LAN, the other for DMZ host (with public address redirection to DMZ private IP). The first is $lanport, the other $dmzport. The LAN interface is $LANIF, the DMZ interface is $DMZIF 2. When client from LAN wants to connect to DMZ host, using DMZ public IP *only*, the packet goes like this: i. the packet is allowed to enter the router by DMZ NAT port ($dmzport) and $LANIF: ipfw add divert $dmzport ip from $LAN to $DMZ_PUBLIC_IP in recv $LANIF ipfw add allow ip from $LAN to $DMZ_PUBLIC_IP in recv $LANIF <--- why in your example are you using PRIVATE_IP instead of PUBLIC? ii. the packet is redirected to go out to DMZ, using DMZ NAT port: ipfw add divert $dmzport ip from $LAN to $DMZ_PRIVATE_IP out xmit $DMZIF ipfw add allow ip from $ROUTER_PUBLIC_IP to $DMZ_PRIVATE_IP out xmit $DMZIF 3. When DMZ host wants to connect with LAN client: i. the packet goes to router by DMZ NAT port and $DMZIF: ipfw add divert $dmzport ip from $DMZ_PRIVATE_IP to $ROUTER_PUBLIC_IP in recv $DMZIF ipfw add allow ip from $DMZ_PRIVATE_IP to $LAN in recv $DMZIF ii. the packet is redirected to LAN (using _which_ NAT port? For LAN or DMZ? ) ipfw add divert $lanport (I am *not* sure here) from $DMZ_PRIVATE_IP to $LAN out xmit $LANIF ipfw add allow ip from $DMZ_PUBLIC_IP to $LAN out xmit $LANIF 4. Is it OK ? What's the port in 3.ii step ? If I want also to set up NAT rules for my LAN (to allow it to access the Internet, and router), and also for my DMZ hosts (also for the Internet), what should be the order of rules? First 'LAN-DMZ', then 'DMZ', then 'LAN' ? Regards, -- Marek Salwerowicz