From owner-freebsd-net@FreeBSD.ORG Fri Sep 30 14:57:31 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6EF95106566C for ; Fri, 30 Sep 2011 14:57:31 +0000 (UTC) (envelope-from marek_sal@wp.pl) Received: from mx3.wp.pl (mx3.wp.pl [212.77.101.7]) by mx1.freebsd.org (Postfix) with ESMTP id D85978FC12 for ; Fri, 30 Sep 2011 14:57:30 +0000 (UTC) Received: (wp-smtpd smtp.wp.pl 6846 invoked from network); 30 Sep 2011 16:57:26 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wp.pl; s=1024a; t=1317394647; bh=nHaYcIBp/skHGE/LLi6b9ZBaheXWwr5bW5GcsrlnKqY=; h=From:To:Subject; b=RXox2XvzLa+speS4HLlwQ6BXcnlOJwReNioB90SURHQeQ6og9lRM4AFmytWlfWsLS MN+BqVRD9vdZgVkCbfEPJvaqoWQBficoqGwSgL5BqMr8blMuTD/1HZF+E147Z0gyW/ C3JOARupaQEUQI3z8HC3AczAC/mPLIZvE9gpyhKQ= Received: from cwx170.internetdsl.tpnet.pl (HELO [10.0.0.15]) (marek_sal@[83.19.131.170]) (envelope-sender ) by smtp.wp.pl (WP-SMTPD) with SMTP for ; 30 Sep 2011 16:57:26 +0200 Message-ID: <4E85D8CB.6010104@wp.pl> Date: Fri, 30 Sep 2011 16:57:15 +0200 From: Marek Salwerowicz User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:7.0) Gecko/20110922 Thunderbird/7.0 MIME-Version: 1.0 To: Freddie Cash , freebsd-net@freebsd.org References: <4E412116.1070305@wp.pl> <4E422A74.3090601@wp.pl> <4E7B450F.5050802@wp.pl> <4E84B447.7010509@wp.pl> <4E84DE26.6030103@misal.pl> In-Reply-To: <4E84DE26.6030103@misal.pl> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A. X-WP-SPAM: NO 0000000 [0aP0] Cc: Subject: Re: ipfw - accessing DMZ from LAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2011 14:57:31 -0000 W dniu 2011-09-29 23:07, Marek Salwerowicz pisze: > So eg. the rules specifying traffic between DMZ Host and LAN could be > the first, and then rules for "generic" DMZ host traffic (allowing DMZ > access to the Internet)? > So far I made like this (first DMZ-LAN, then DMZ), but I have some > problem: > > ipfw add 200 divert $DMZHOST1PORT ip from $DMZHOST1 to any in recv $DMZIF > ipfw add 205 allow ip from $DMZHOST1 to any in recv $DMZIF > > ipfw add 210 divert $DMZHOST1PORT ip from $DMZHOST1 to any out xmit > $PUBLICIF > ipfw add 215 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF > > ipfw add 220 divert $DMZHOST1PORT ip from any to $DMZHOST1PUB in recv > $PUBLICIF > ipfw add 225 allow ip from any to $DMZHOST1 in recv $PUBLICIF > > ipfw add 230 divert $DMZHOST1PORT ip from any to $DMZHOST1 out xmit > $DMZIF > ipfw add 235 allow ip from any to $DMZHOST1 out xmit $DMZIF > > The DMZ host has access to Internet (and is visible as public IP > dedicated for that host, so it's what I wanted), but when I connect > from the Internet to DMZ host (eg. ssh), I see that the connection > comes from itself (DMZ host public IP), instead of real public IP > address. > I think that I've overNATed something. > I've answered myself: ipfw add 205 allow ip from $DMZHOST1 to any in recv $DMZIF ipfw add 210 divert $DMZHOST1PORT ip from $DMZHOST1 to any out xmit $PUBLICIF ipfw add 215 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF ipfw add 220 divert $DMZHOST1PORT ip from any to $DMZHOST1PUB in recv $PUBLICIF ipfw add 225 allow ip from any to $DMZHOST1 in recv $PUBLICIF ipfw add 235 allow ip from any to $DMZHOST1 out xmit $DMZIF So I just removed rules responsible for NAT at $DMZIF and left only NAT at $PUBLICIF. But now there is next problem - when I try to ping /ssh from router to $DMZPUBLICIP, I connect to myself, instead of DMZ host..