Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 22 Sep 2011 16:24:15 +0200
From:      Marek Salwerowicz <marek_sal@wp.pl>
To:        Freddie Cash <fjwcash@gmail.com>
Cc:        freebsd-net@freebsd.org
Subject:   Re: ipfw - accessing DMZ from LAN
Message-ID:  <4E7B450F.5050802@wp.pl>
In-Reply-To: <CAOjFWZ5CK62nQMA8JsfW1b4BQh3hAJbAAynortzaUBqSWBwdSQ@mail.gmail.com>
References:  <4E412116.1070305@wp.pl> <CAOjFWZ4B3uUfOLAzL=B1WY98rqi6X32j7FM61VjJ3td76NkADg@mail.gmail.com> <4E422A74.3090601@wp.pl> <CAOjFWZ5CK62nQMA8JsfW1b4BQh3hAJbAAynortzaUBqSWBwdSQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
W dniu 2011-08-10 16:22, Freddie Cash pisze:
>
>         The more correct method is to double-NAT the traffic, such
>         that the LAN
>         clients connect to public IPs, and the DMZ servers see
>         connections from
>         public IPs.  It's more complicated to wrap your head around
>         the first time,
>         but it prevents private IPs from "leaking" between the LAN,
>         the Internet,
>         and the DMZ.  (It took me 10 years of using IPFW to figure
>         this one out.)
>
>         # Configure the general natd process for the LAN
>         natd -port $port2 -same_ports -use_sockets -alias_address
>         x.x.x.171
>
>         # Configure the natd process to NAT from x.x.x.170 to
>         192.168.0.10 using
>         some port
>         natd -port $port1 -same_ports -use_sockets -alias_address
>         x.x.x.170
>         -redirect_address x.x.x.170 192.168.0.10
>
>         # NAT the traffic coming from the LAN to x.x.x.170
>         ipfw add divert $port1 ip from $LAN to x.x.x.170 in recv vr0
>         ipfw add allow ip from $LAN to 192.168.0.10 in recv vr0
>
>         # NAT the traffic going to x.x.x.170 from the LAN
>         ipfw add divert $port2 ip from $LAN to 192.168.0.10 out xmit vr2
>         ipfw add allow ip from x.x.x.171 to 192.168.0.10 out xmit vr2
>
>         # NAT the traffic coming from x.x.x.170 to the LAN
>         ipfw add divert $port1 ip from 192.168.0.10 to x.x.x.171 in
>         recv vr2
>         ipfw add allow ip from 192.168.0.10 to $LAN in recv vr2
>
>         # NAT the traffic going to the LAN from x.x.x.170
>         ipfw add divert ip from 192.168.0.10 to $LAN out xmit vr0
>         ipfw add allow ip from x.x.x.170 t0 $LAN out xmit vr0
>
>         The general flow of the rules above is (src -->  dest)
>         10.0.0.x -->  x.x.x.170
>         10.0.0.x -->  192.168.0.10  (after first NAT)
>         x.x.x.171 -->  192.168.0.10 (after second NAT)
>
>         192.168.0.10 -->  x.x.x.171
>         192.168.0.10 -->  10.0.0.x (after first NAT)
>         x.x.x.170 -->  10.0.0.x  (after second NAT)
>
>         Notice how vr3 is never used in any of the rules above, as the
>         packets never
>         touch the public interface of the router.
>
>

Hi,

I set up firewall like this:

$cmd flush

##LAN1 --> PUBLIC
$cmd add divert $NATLANPORT ip from $LAN1 to $MYPUBLICIP via $PUBLICIF
$cmd add allow ip from $LAN1 to $MYPUBLICIP via $PUBLICIF

#NAT for LAN1
natd -port $NATLANPORT -same_ports -use_sockets -alias_address $MYPUBLICIP

#NAT for DMZHOST1
natd -port $DMZHOST1PORT -same_ports -use_sockets -alias_address 
$DMZHOST1PUBLIC  -redirect_address $DMZHOST1PUBLIC $DMZHOST1PRIVATE


##LAN1 --> DMZHOST1
#Traffic from LAN1 to DMZHOST1 - coming from LAN1
$cmd add divert $NATLANPORT ip from $LAN1 to $DMZHOST1PUBLIC in recv $LAN1IF
$cmd add allow ip from $LAN1 to $DMZHOST1PRIVATE in recv $LAN1IF

#Traffic to DMZHOST1 from LAN1 - going to DMZHOST1
$cmd add divert $DMZHOST1PORT ip from $LAN1 to $DMZHOST1PRIVATE out xmit 
$DMZIF
$cmd add allow ip from $DMZHOST1PUBLIC to $DMZHOST1PRIVATE out xmit $DMZIF

##DMZHOST1 --> LAN1
#Traffic from DMZHOST1 to LAN1 - coming from DMZHOST1
$cmd add divert $DMZHOST1PORT ip from $DMZHOST1PRIVATE to 
$DMZHOST1PUBLIC in recv $DMZIF
$cmd add allow ip from $DMZHOST1PRIVATE to $LAN1 in recv $DMZIF

#Traffic to LAN1 from DMZHOST1 - going to LAN1
$cmd add divert $NATLANPORT ip from $DMZHOST1PRIVATE to $LAN1 out xmit 
$LAN1IF
$cmd add allow ip from $DMZHOST1PUBLIC to $LAN1 out xmit $LAN1IF

$cmd add allow ip from any to me
$cmd add allow ip from me to any
$cmd add deny ip from any to any

But in fact it doesn't work - I am not able to connect to DMZ HOST1 
public IP from LAN1. When I try to connect, I connect to router, not the 
DMZ HOST 1

In rc.conf I have only:
natd_enable="YES"
natd_interface="em0"

em0 is my interface connected to public ISP

DMZ HOST1 Public IP is set as an alias for em0

Can you have a look at my issue?

Regards,

-- 
Marek Salwerowicz

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E7B450F.5050802>