From owner-freebsd-questions@FreeBSD.ORG Mon Aug 11 11:46:51 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7946E37B404 for ; Mon, 11 Aug 2003 11:46:51 -0700 (PDT) Received: from lv.raad.tartu.ee (lv.raad.tartu.ee [194.126.106.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA48943F75 for ; Mon, 11 Aug 2003 11:46:48 -0700 (PDT) (envelope-from toomas.aas@raad.tartu.ee) Received: Message by Barricade lv.raad.tartu.ee with ESMTP id h7BIkiO23983; Mon, 11 Aug 2003 21:46:44 +0300 Message-Id: <200308111846.h7BIkiO23983@lv.raad.tartu.ee> Received: from INFO/SpoolDir by raad.tartu.ee (Mercury 1.48); 11 Aug 03 21:46:44 +0300 Received: from SpoolDir by INFO (Mercury 1.48); 11 Aug 03 21:46:16 +0300 From: "Toomas Aas" Organization: Tartu City Government To: Johannes Angeldorff , questions@freebsd.org Date: Mon, 11 Aug 2003 21:46:16 +0300 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Priority: normal In-reply-to: Subject: Re: ipfw / natd does not allow lan traffic to reach external num X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Aug 2003 18:46:51 -0000 Hi! > I have a problem with our firewall/NAT, on a FreeBSD 4.7 box... Here > a list with some details: > > *) The FreeBSD box uses natd and ipfw, and have two external IP:s, > lets say aaa.bbb.ccc.20 and ddd.eee.fff.21. > > *) natd is used to redirect access to external IP addresses and ports > to internal LAN IP:s, for example 192.168.0.20 and 192.168.0.21, > where for example webservers are located. > > *) natd rules: > > *) ipfw lets things through: > Most things works just fine, external access are redirected to > correct ports, and the webservers work just fine. BUT the problem > comes when a box on the LAN tries to reach a site residing on > 192.168.0.20 using the _external_ IP aaa.bbb.ccc.20. I don't use ipfw but I encountered the same problem when I first attempted to do the similar setup using ipfilter/ipnat. The problem (at least with ipfilter/ipnat) is that nat does not change the *source* address of packets to that of the machine doing the NAT. So, if you are at machine 192.168.1.10, the internal IP of the NAT box is 192.168.1.1 and you are trying to access a service running on 192.168.1.2 via the external interface of the NAT box, this is what happens: * Your PC sends initial SYN with source=192.168.1.10, target=. This packet goes to the natbox, as that is your default gateway. * NAT on natbox translates the target address to 192.168.1.2 and sends the packet there. The source address remains unchanged (192.168.1.10). * 192.168.1.2 sees the packet coming from 192.168.1.10, and - this is where it goes wrong - sends response (SYN+ACK) directly to 192.168.1.10. * since 192.168.1.10 did not initiate session with 192.168.1.2 but with natbox, it doesn't want anything to do with this strange SYN+ACK packet and just drops it. There are several possible solutions recommended for ipfilter, but the one that I myself ended up using was set up netcat on the natbox. Basically (using inetd) you set up netcat to listen on an arbitrary port X and pipe all traffic to the machine:port on your internal net where the actual service is running (such as 192.168.1.2:80). Then you forward all traffic with src= and dst= to 127.0.0.1:X. That way the internal server sees packets coming from natbox, sends its responses there, and the natbox in turn sends responses back to the original client. Everybody's happy. As I said I don't use ipfw myself so I can't give you any specific ipfw commands, but I'm sure it all can be done. If only my explanation wasn't too confusing :-) -- Toomas Aas | toomas.aas@raad.tartu.ee | http://www.raad.tartu.ee/~toomas/ * (A)bort, (R)etry, (I)nfluence with large hammer?