Date: Thu, 10 Jan 2008 07:59:17 -0500 From: "Rodrique Heron" <swygue@rodhouse.org> To: freebsd-pf@freebsd.org Subject: Re: Forwarding another host Message-ID: <1a5f1a2d0801100459s242813a8kc8d3fb8bf209d19@mail.gmail.com> In-Reply-To: <20080110001152.GI17784@verio.net> References: <4784F7E3.3060508@rodhouse.org> <20080110001152.GI17784@verio.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 1/9/08, David DeSimone <fox@verio.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rodrique Heron <swygue@gmail.com> wrote: > > > > I'm running FreeBSD 6.2 and I want to know if forwarding to a external > > host is supported by PF. I want to forward all incoming traffic to > > port 22 to another host, but it does not work, forwarding to a Jail > > works though. Here are my configs: > > This is a classic NAT problem. Picture what happens each step of the > way: > > Your firewall = A.B.C.D > > External Host = E.F.G.H > > External Client = W.X.Y.Z > > Packet (src = W.X.Y.Z dst = A.B.C.D) goes to the firewall. > > Firewall applies NAT, so packet is now (src = W.X.Y.Z, dst = > E.F.G.H). Firewall routes the packet back out to the external > network that it came from. > > External host receives packet (src = W.X.Y.Z, dst = E.F.G.H). > > External host sends back a reply packet (src = E.F.G.H, dst = > W.X.Y.Z). This reply goes straight back over the internet; it > does not ever come back to your firewall, but goes directly back > to the client. Firewall does not see reply, so there is no > chance to apply reverse NAT. > > Client receives packet (src = E.F.G.H, dst = W.X.Y.Z). The packet > is unrecognized, however, because the packet that the client > originally sent was for (src = W.X.Y.Z dst = A.B.C.D). Client > sends a RST. Connection fails. > > The way I have solved this problem in other environments is with "double > NAT" where the firewall translates both the Source and Destination IP > for internally-receive traffic. The firewall applies the correct > destination NAT, but also applies NAT to the source IP, giving its own > IP. This causes the external server to reply back to the firewall so > that the traffic can be de-NAT'd correctly. > > However, I am unaware of the ability to perform Double NAT using FreeBSD > tools. There is no reason the kernel could not do it; it is just a > missing feature in the toolset. > > Offhand I am not sure why you would want to forward traffic from your > host over to some external host. If you really must do this, the only > way that comes to mind would be using a proxy of some sort, opening a > secondary connection to the external host on behalf of the client. I have a immediate need to relocate my Web server from the DMZ to inside the network. The problem is, my content contributors login to the server via SSH and the IP address of the Web server will change after the move. I am placing a Apache reverse proxy in place of the Web server and the proxy will use the Web server's IP address. To make this a seamless move, I wanted to forward all incoming SSH traffic to the proxy, to the Web server's new IP. If this can't be done with PF, what other method is available ? Thanks - -- > David DeSimone == Network Admin == fox@verio.net > "This email message is intended for the use of the person to whom > it has been sent, and may contain information that is confidential > or legally protected. If you are not the intended recipient or have > received this message in error, you are not authorized to copy, dis- > tribute, or otherwise use this message or its attachments. Please > notify the sender immediately by return e-mail and permanently delete > this message and any attachments. Verio, Inc. makes no warranty that > this email is error or virus free. Thank you." --Lawyer Bot 6000 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.1 (GNU/Linux) > > iD8DBQFHhWLIFSrKRjX5eCoRAu2dAJ48q+buSKrw7W3tlS1OMrgbHa/rlQCfaRtt > 9FQyd2Mn9fwdQMD3f7LfRI8= > =oxGv > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1a5f1a2d0801100459s242813a8kc8d3fb8bf209d19>