Date: Wed, 27 Sep 2000 23:04:33 -0700 (PDT) From: John F Cuzzola <vdrifter@ocis.ocis.net> To: cjclark@alum.mit.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: ipfw + natd + Novell Message-ID: <Pine.LNX.4.21.0009272303030.32597-100000@ocis.ocis.net> In-Reply-To: <20000927225832.E81242@149.211.6.64.reflexcom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
*** Oops, sorry that was a typo: it should have read: ipfw add 20 divert 7500 ip from 192.168.0.6 to 142.42.22.0/24 Anyways I found my answer in Novell's Knowledge base ... Apparently a NAT Firewall is currently not supported but they have a workaround :) On Wed, 27 Sep 2000, Crist J . Clark wrote: > On Tue, Sep 26, 2000 at 08:52:08PM -0700, John F Cuzzola wrote: > > Hello everyone, > > I have a Novell Server that has been moved from a public ip to a private > > one (192.168.0.6). The 192.168.0.xxx segment gets internet access through > > a FreeBSD box using ipfw/natd. The Novell server needs to be accessable > > from the internet from source addresses 142.42.22.xxx. So I tried to set > > up a NAT for it as follows: > > > > natd -p 7500 -redirect_address 192.168.0.6 0.0.0.0 -a 207.24.168.5 > > > > ipfw add 10 divert 7500 ip from 142.42.22.0/24 to 207.24.168.5 > > ipfw add 20 divert 7500 ip from 207.24.168.5 to 142.42.22.0/24 > > > > So 142.42.22.0/24 should be able to get to the novell server using > > 207.24.168.5 as its ip. Using the Windows Client they can connect and see > > the NDS tree but when they try to log in the connection times-out. I know > > there are some programs that wont work through NAT (like the ones that > > insist on reporting back the private ip address). I was wondering if > > anyone has had experience logging into a Novell Server with NAT. Can it > > be done? > > I might be missing it, but I don't see how traffic returning from > 192.168.0.6 is ever NATed back to look like the source is 207.24.168.5 > from the client's perspective. That is, that first rule catches > packets like, > > 142.42.22.a:2040 -> 207.24.168.5:427 > > And they get translated to something like, > > 142.42.22.a:2040 -> 192.168.0.6:427 > > But then, I don't see where the responses, > > 192.168.0.6:427 -> 142.42.22.a:2040 > > Ever go through NAT again. Shouldn't the second rule be, > > s/207.24.168.5/192.168.0.6/ > > ? > -- > Crist J. Clark cjclark@alum.mit.edu > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0009272303030.32597-100000>