From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 2 13:11:00 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A684F16A4CE for ; Wed, 2 Jun 2004 13:11:00 -0700 (PDT) Received: from mail1.speakeasy.net (mail1.speakeasy.net [216.254.0.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76A5943D39 for ; Wed, 2 Jun 2004 13:11:00 -0700 (PDT) (envelope-from freebsd-ipfw.20.openmacews@spamgourmet.com) Received: (qmail 20905 invoked from network); 2 Jun 2004 20:11:00 -0000 Received: from ns1.presence-group.net (HELO [172.30.11.6]) (blakers@[216.27.177.134]) )encrypted SMTP for ; 2 Jun 2004 20:10:59 -0000 Date: Wed, 02 Jun 2004 13:10:57 -0700 From: OpenMacNews To: freebsd-ipfw Message-ID: <33760B5BC85169CE97B0219F@[172.30.11.6]> X-Mailer: Mulberry/3.1.5 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: help with multiple-public-to-multiple-natd mappings/rules/logic? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: OpenMacNews List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jun 2004 20:11:00 -0000 hi all, [I tried doing al this via "fwbuilder" (www.fwbuilder.org) only to, unfortunately, find out that _it_ doesn't support ipfw + natd rule generation ... so back to "manual", and my questions below ...] I've read through as many examples on the web I could find, but as none were exactly the config I'm attempting here. As a result of trying to cobble together the examples I *did* find, I've gotten myself thoroughly confused about a couple of issues re: my "to be" ipfw firewall configuration ... specifically, since I have *multiple* EXTERNAL ip's that need to map THROUGH a single INTERNAL interface to *multiple* INTERNAL (NATd) ip's. as far as a "policy" goes, my goal is: (1) outbound: ALLOW, then DENY, specifically blocking outbound services access, e.g. "chat", allowing STATEFUL rules (2) inbound: DENY, then ALLOW (3) process 'general' fw rules 1st (e.g., "pest rules" such as 'DENY from "timbuktu IP" to ANY') (4) provide specific, service-based mappings from external "public" IPs to various internal "private" IPs via NAT to do, this however, I think I need (1) multiple NATd instances (one for each external IP) (2) some combination of DIVERT, SKIPTO and FORWARD rules to do all the necessary in/out mapping and firewall processing which is where my confusion begins !! with ONE natd instance, and ONE external IP address, i've got everything pretty much working ... but the MULTIPLE-TO-MULTIPLE logic has got me "blindly trying stuff" ... SOOOOOOOOOOO, any/all insights/comment, or pointers to existing examples -- or general _relevant_ logic, for that matter -- would be much appreciated! in particular, the in/out rules for httpd, smtp & dns via these multiple interfaces are eluding me for now. to help get started, here's my config: | | [public internet] | | [cable modem] 2 fixed IP addresses: A.A.A.A A.A.A.B ISP's DNS servers: A.A.A.XX A.A.A.YY ISP's Gateway: A.A.A.GG | | [firewall box, server 1] hw: 2 NIC cards card 1 ("external"): multihomed A.A.A.A A.A.A.B card 2 ("internal"): 10.0.0.1 sw: ipfw dhcp natd smtpd listens on mail1.domain.com | | | | |------------------ [server 2] | hw: | 1 NIC card | multihomed | 10.0.0.2 | 10.0.0.21 | sw: | httpd, public access | listens on 10.0.0.2 for www.domain2.com | listens on 10.0.0.21 for www.domain21.com | | |------------------ [server 3] | hw: | 1 NIC card | 10.0.0.3 | sw: | smtpd, public access | listens on mail3.domain.com | dns, public access | (a) provides primary DNS for multiple domains, | zone transfers ONLY to named external secondaries | (b) serves as internal/LAN DNS for all machines | on 10.0.0.x LAN | (c) forwards some requests to ISP's DNS @ A.A.A.XX & | A.A.A.YY | | |------------------ [server 4] | hw: | 1 NIC card | multihomed | 10.0.0.4 | 10.0.0.41 | sw: | httpd, public access | listens on 10.0.0.4 for www.domain4.com | listens on 10.0.0.41 for www.domain41.com | | |------------------ [workstation 5] 1 NIC card 10.0.0.5 sw: usual client apps ... where, "public"/"external" IP allocations/assignments are: A.A.A.A --> reverse IP == domain.com A.A.A.B --> reserse IP == domain2.com mail1.domain.com --> A.A.A.B mail3.domain.com --> A.A.A.A www.domain2.com --> A.A.A.A www.domain21.com --> A.A.A.B www.domain4.com --> A.A.A.A www.domain41.com --> A.A.A.B thanks! richard