From owner-freebsd-ipfw@FreeBSD.ORG Wed Apr 16 14:40:43 2003 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43FFD37B401 for ; Wed, 16 Apr 2003 14:40:43 -0700 (PDT) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A94E43FBD for ; Wed, 16 Apr 2003 14:40:41 -0700 (PDT) (envelope-from dmp@pantherdragon.org) Received: from sparx.techno.pagans (12-224-208-117.client.attbi.com [12.224.208.117]) by spork.pantherdragon.org (Postfix) with ESMTP id 1596BFD90; Wed, 16 Apr 2003 14:40:41 -0700 (PDT) Received: from speck.techno.pagans (speck.techno.pagans [172.21.42.2]) by sparx.techno.pagans (Postfix) with SMTP id 4EFEAA913; Wed, 16 Apr 2003 14:40:40 -0700 (PDT) Date: Wed, 16 Apr 2003 14:40:35 -0700 From: Darren Pilgrim To: Message-Id: <20030416144035.1f7711e1.dmp@pantherdragon.org> In-Reply-To: <000001c3045c$da5d0f20$3401a8c0@neptune> References: <20030415232349.45b4e8a1.dmp@pantherdragon.org> <000001c3045c$da5d0f20$3401a8c0@neptune> X-Mailer: Sylpheed version 0.8.9claws (GTK+ 1.2.10; i386-portbld-freebsd5.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit cc: freebsd-ipfw@freebsd.org Subject: Re: IPFW/NATD: Client behind firewall connecting to server behind firewall AS IF it were really EXTERNAL X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Apr 2003 21:40:43 -0000 "C_Ahlers" wrote: >I do understand what your are suggesting in principal, and I do >understand the syntax of ipfw forward rules. >However, I just am not sure exactly how to create the correct forward >rule. Would this be correct?: > >ipfw add fwd a.a.a.15 all from b.b.b.0/24 to a.a.a.15 The ipaddr immediately after "fwd" is the ip address you want the packets forwarded to. The scope of that rule is dangerous, IMO. It could interfere with natd since it will also match on the external interface. A better rule is one made very specific: ipfw add fwd b.b.b.100,80 tcp from b.b.b.0/24 to a.a.a.15 80 in via $iif Where iff is replaced with the name of your internal interface. >I forgot to describe earlier that: gateway_enable="YES" , Does this have >any effect on the discussion? No, the gateway_enable option just tells the system to function as a router for arriving packets destined for non-local addresses. >(sorry if it seems that I have concrete between my ears) What happens inside firewalls isn't always obvious or simple. >From: Darren Pilgrim [mailto:dmp@pantherdragon.org] > wrote: > >[trimmed for relevance] > >>firewall external IP = a.a.a.15 (internet ip address) firewall >>internal IP = b.b.b.254 (private ip address) >> >>NATD: alias_address = a.a.a.15 >>NATD: redirect_port tcp b.b.b.100:80 80 >>NATD: deny_incoming >> >>webserver internal IP = b.b.b.100 >>example client pc IP = b.b.b.57 >>client pc gateway IP = b.b.b.254 (firewall) >> ><...> >>However, INTERNAL hosts are unable to connect to my webserver via >>a.a.a.15 (since this is not actually the webserver's address). ><...> >>Any suggestions? > >Use an ipfw forward rule for the requests coming from the LAN. Read >ipfw(8) for the appropriate syntax. > >Explanation: > >a.a.a.15 is a local address according to the firewall box, so it isn't >going to route anything destined for a.a.a.15 out an interface. Since >natd is configured to only act upon packets crossing the external >interface, it never sees the LAN-sourced requests for a.a.a.15, thus the >redirection never takes place. >