Date: Sat, 6 Jul 2002 19:20:16 -0700 From: "Corey Snow" <corey@snowpoint.com> To: Redmond Militante <r-militante@northwestern.edu> Cc: freebsd-questions@FreeBSD.org Subject: Re: stuck on ipfw/natd config Message-ID: <3D2742F0.18763.65B7745@localhost> In-Reply-To: <20020706183641.C493@darkpossum> References: <3D27157D.31618.5A9F2A0@localhost>; from corey@snowpoint.com on Sat, Jul 06, 2002 at 04:06:21PM -0700
next in thread | previous in thread | raw e-mail | index | archive | help
On 6 Jul 2002, at 18:36, Redmond Militante wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > hi Hey there again. :) > well, i want to stick the webserver behind the nat, and still be able to serve up pages to the outside world, as well as sit at the machine and surf the internet on it, as usual. i want machines outside the internal network to be able to view webpages that resolve to the webserver's url &/or proper ip address. so yeah, i want the nat to be invisible to the outside world regardless or which direction the traffic's going to flow... sorry i didn't make myself clear. > OK, that's a pretty standard configuration. However, you're possibly confusing NAT with ipfw. They're related and work together, but they have to be handled seperately. For a firewall of type "OPEN" with natd running, you should probably have a set of firewall rules that look like this (replace <extif> with your external interface: #standard stuff, allow loopback and suchlike add allow ip from any to any via lo0 add deny ip from any to 127.0.0.0/8 add deny ip from 127.0.0.0/8 to any #Divert all traffic to natd add divert natd ip from any to any via <extif> add allow ip from any to any Now, this minimal set of firewall rules will allow any system behind your natd firewall to any system reachable via your external interface. Usually, the external interface is the one that has a "public" IP address, one that you get from your ISP. However, this doesn't get your webserver responding to requests, because the natd daemon is intended primarily to alllow a group of systems with non-routable (private or RFC1918) addresses to share a single public IP. Basically, if a connection is made by a system behind the firewall, the firewall knows which system made it and can send the packets coming back in response to that request to the original requestor, properly translated, of course. But requests coming from the outside to the public IP of the firewall are dropped if the firewall doesn't know what to do with them- unless you tell it, there's no way for it to know what system to deliver incoming requests to. [WARNING! DANGER, WILL ROBINSON! This is a pretty unsecure configuration. Any machine behind the firewall can go outbound using the firewall with no restriction, and there is a possibility (not high, but there) that someone could figure out how to go back through, because the firewall is of type "OPEN". After you get everything working to your satisfaction and are more comfortable with firewall rulesets and natd, I'd recommend changing your firewall type and/or locking down your rules a bit more.] If you want the public IP address to also be able to provide access to your web server, you'll need to add the following to the natd_flags section of /etc/rc.conf or pass it on the commandline used to start the natd daemon, if you're starting it from /usr/local/etc/rc.d: natd_flags="-redirect_address 192.168.0.3:80 1.2.3.4:80" Or from the commandline: #natd -redirect_address 192.168.0.3:80 1.2.3.4:80 This assumes that the IP address of the web server is 19.168.0.3 and that your public interface uses IP address 1.2.3.4. I believe this should work, or a variation thereof. I've never actually used the address redirection feature myself, but I know many have successfully. You may also be able to achieve your goal with the - redirect_port option. > > > > > At any rate, you won't get any traffic through your NAT box unless > > you have some firewall rules set up. See the FreeBSD handbook, > > section Advanced Networking for info on setting up NAT and dealing > > with ipfw. > > > > i had firewall_type="open" in my /etc/rc.conf. wouldn't that at least allow me to serve up webpages at this point, albeit while not having any firewall rules in place? > See above- you have to have a firewall that allows the traffic, but you also have to tell natd how to send traffic back and forth. Regards, Corey Snow To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3D2742F0.18763.65B7745>