From owner-freebsd-net@FreeBSD.ORG Thu Sep 29 21:23:29 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5DC851065677 for ; Thu, 29 Sep 2011 21:23:29 +0000 (UTC) (envelope-from marek.salwerowicz@misal.pl) Received: from mail2.misal.pl (mail2.misal.pl [83.19.131.172]) by mx1.freebsd.org (Postfix) with ESMTP id 008BD8FC12 for ; Thu, 29 Sep 2011 21:23:28 +0000 (UTC) Received: from [10.0.0.15] (cwx170.internetdsl.tpnet.pl [83.19.131.170]) by mail2.misal.pl (Postfix) with ESMTPSA id 77C088B3; Thu, 29 Sep 2011 23:08:02 +0200 (CEST) Message-ID: <4E84DE26.6030103@misal.pl> Date: Thu, 29 Sep 2011 23:07:50 +0200 From: Marek Salwerowicz User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0) Gecko/20110922 Thunderbird/7.0 MIME-Version: 1.0 To: Freddie Cash , freebsd-net@freebsd.org References: <4E412116.1070305@wp.pl> <4E422A74.3090601@wp.pl> <4E7B450F.5050802@wp.pl> <4E84B447.7010509@wp.pl> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 29 Sep 2011 22:20:17 +0000 Cc: Subject: Re: ipfw - accessing DMZ from LAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2011 21:23:29 -0000 W dniu 2011-09-29 21:57, Freddie Cash pisze: > > > In generic terms, the packet flow is like this: > > > src: lan private subnet dest: server public ip > > > src: lan private subnet dest: server private ip > > > src: lan private subnet dest: server private ip > > > src: lan public ip dest: server private ip > > > Note how you change first the destination IP via NAT (on the LAN interface); > then you change the source IP via NAT (on the DMZ interface). Ok, now I understood (I hope ;) ). My rules are: ipfw add 150 divert $DMZHOST1PORT ip from $LAN1NET to $DMZHOST1PUB in recv $LAN1IF ipfw add 155 allow ip from $LAN1NET to $DMZHOST1 in recv $LAN1IF ipfw add 160 divert $LAN1PORT ip from $LAN1NET to $DMZHOST1 out xmit $DMZIF ipfw add 165 allow ip from $MYPUBLICIP to $DMZHOST1 out xmit $DMZIF ipfw add 170 divert $LAN1PORT ip from $DMZHOST1 to $MYPUBLICIP in recv $DMZIF ipfw add 175 allow ip from $DMZHOST1 to $LAN1NET in recv $DMZIF ipfw add 180 divert $DMZHOST1PORT ip from $DMZHOST1 to $LAN1NET out xmit $LAN1IF ipfw add 185 allow ip from $DMZHOST1PUB to $LAN1NET out xmit $LAN1IF Names are a little different but the idea is the same (MYPUBLICIP == LAN_PUBLIC_IP) And it works. Thanks for help :) > > There's no hard-and-fast rules on how you should order your rules (at least, > none that I've found anywhere). > > I prefer to write them such that you have the most specific rules first, and > the most generic ones last. So eg. the rules specifying traffic between DMZ Host and LAN could be the first, and then rules for "generic" DMZ host traffic (allowing DMZ access to the Internet)? So far I made like this (first DMZ-LAN, then DMZ), but I have some problem: ipfw add 200 divert $DMZHOST1PORT ip from $DMZHOST1 to any in recv $DMZIF ipfw add 205 allow ip from $DMZHOST1 to any in recv $DMZIF ipfw add 210 divert $DMZHOST1PORT ip from $DMZHOST1 to any out xmit $PUBLICIF ipfw add 215 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF ipfw add 220 divert $DMZHOST1PORT ip from any to $DMZHOST1PUB in recv $PUBLICIF ipfw add 225 allow ip from any to $DMZHOST1 in recv $PUBLICIF ipfw add 230 divert $DMZHOST1PORT ip from any to $DMZHOST1 out xmit $DMZIF ipfw add 235 allow ip from any to $DMZHOST1 out xmit $DMZIF The DMZ host has access to Internet (and is visible as public IP dedicated for that host, so it's what I wanted), but when I connect from the Internet to DMZ host (eg. ssh), I see that the connection comes from itself (DMZ host public IP), instead of real public IP address. I think that I've overNATed something. Do you have any idea? Regards, -- Marek Salwerowicz