From owner-freebsd-net@FreeBSD.ORG Mon Oct 15 21:22:25 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C012C16A417 for ; Mon, 15 Oct 2007 21:22:25 +0000 (UTC) (envelope-from jhall@vandaliamo.net) Received: from trueband.net (director.trueband.net [216.163.120.8]) by mx1.freebsd.org (Postfix) with SMTP id 51C6513C48D for ; Mon, 15 Oct 2007 21:22:24 +0000 (UTC) (envelope-from jhall@vandaliamo.net) Received: (qmail 29552 invoked by uid 1006); 15 Oct 2007 21:22:23 -0000 Received: from jhall@vandaliamo.net by rs0 by uid 1003 with qmail-scanner-1.16 (spamassassin: 3.1.4. Clear:SA:0(-1.4/100.0):. Processed in 0.789454 secs); 15 Oct 2007 21:22:23 -0000 X-Spam-Status: No, hits=-1.4 required=100.0 X-Spam-Level: Received: from unknown (HELO trueband.net) (172.16.0.14) by -v with SMTP; 15 Oct 2007 21:22:22 -0000 Received: (qmail 29790 invoked from network); 15 Oct 2007 21:22:22 -0000 Received: from unknown (HELO admintool.trueband.net) (127.0.0.1) by -v with SMTP; 15 Oct 2007 21:22:22 -0000 Received: from 12.170.206.13 (SquirrelMail authenticated user jhall@vandaliamo.net) by admintool.trueband.net with HTTP; Mon, 15 Oct 2007 21:22:22 -0000 (GMT) Message-ID: <1282.12.170.206.13.1192483342.squirrel@admintool.trueband.net> In-Reply-To: <47128A06.40901@chdevelopment.se> References: <1598.65.117.48.155.1192215288.squirrel@admintool.trueband.net> <47128A06.40901@chdevelopment.se> Date: Mon, 15 Oct 2007 21:22:22 -0000 (GMT) From: jhall@vandaliamo.net To: "Christer Hermansson" User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Cc: freebsd-net@freebsd.org, jhall@vandaliamo.net Subject: Re: NAT Questions X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Oct 2007 21:22:25 -0000 > jhall@vandaliamo.net wrote: >> Following is my configuration. >> >> External Interface------->Internal Interface--------> Rest of network >> 1.2.3.4/24 10.129.10.40/24 >> 1.2.3.5/32 Alias >> >> 1.2.3.5/24 is the IP address all http traffic will come in on. >> 1.2.3.4/32 >> is the IP address all other traffic will come in on. Both of these >> addresses reside on a single NIC with 1.2.3.5 being an alias. >> >> ipnat.rules >> rdr 1.2.3.5/32 port 80 -> 10.129.10.49 port 80 >> map em1 10.129.10.0/24 -> 0.0.0.0/32 >> >> 10.129.10.49 has 10.129.10.40 (my firewall) listed as its default >> gateway. >> When it responds to a request that has been forwarded, how will the >> firewall return the response? Will it return the request on 1.2.3.5? >> >> > I think you should specify the interface and protocol as well, e.g. > rdr xl0 1.2.3.5/32 port 80 -> 10.129.10.49 port 80 tcp > > The response will have 1.2.3.5 as source-address, the nat software > remember that the translation/mapping was done on 1.2.3.5. > > I guess you have already added > gateway_enable="YES" > to the file /etc/rc.conf > > However, it's very bad to let people in to your protected network, if > they can fool your webserver they have control over a internal machine. > If the 10.129.10.0/24 is a DMZ, used only for web/mail etc this is of > course okey to do. > Thank you for the explanation. I thought that was how it worked, but was not sure. Yes, the server in question is only used as a web server. Thanks again for the explanation. Jay