From owner-freebsd-net@FreeBSD.ORG Thu Sep 22 14:51:10 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B68B1106566B for ; Thu, 22 Sep 2011 14:51:10 +0000 (UTC) (envelope-from marek_sal@wp.pl) Received: from mx3.wp.pl (mx3.wp.pl [212.77.101.7]) by mx1.freebsd.org (Postfix) with ESMTP id 30F1E8FC14 for ; Thu, 22 Sep 2011 14:51:09 +0000 (UTC) Received: (wp-smtpd smtp.wp.pl 26185 invoked from network); 22 Sep 2011 16:24:23 +0200 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wp.pl; s=1024a; t=1316701464; bh=AZEbFqVXmkFM04t8LFOH4coouWCg+h/NZX3bKt6AXsM=; h=From:To:CC:Subject; b=b9qDTbl+x/3mgutFY0sG0dKqxGU4nPFyfmJoUV+NmlIoJb8t8x9/Mj0SYfaIhrT5W y8bVe+AjajeTUzNpDJI+HR4+txZxMX7L7oWYz3BfK+dGpbQT5sZwJtp4uj58/Ur5nk G1b1lok1BVtna1zf5AyUXpDXjgyu8BcE8PmipXaQ= Received: from cwx170.internetdsl.tpnet.pl (HELO [10.0.0.15]) (marek_sal@[83.19.131.170]) (envelope-sender ) by smtp.wp.pl (WP-SMTPD) with SMTP for ; 22 Sep 2011 16:24:23 +0200 Message-ID: <4E7B450F.5050802@wp.pl> Date: Thu, 22 Sep 2011 16:24:15 +0200 From: Marek Salwerowicz User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: Freddie Cash References: <4E412116.1070305@wp.pl> <4E422A74.3090601@wp.pl> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-WP-AV: skaner antywirusowy poczty Wirtualnej Polski S. A. X-WP-SPAM: NO 0000000 [USOE] Cc: freebsd-net@freebsd.org Subject: Re: ipfw - accessing DMZ from LAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 22 Sep 2011 14:51:10 -0000 W dniu 2011-08-10 16:22, Freddie Cash pisze: > > The more correct method is to double-NAT the traffic, such > that the LAN > clients connect to public IPs, and the DMZ servers see > connections from > public IPs. It's more complicated to wrap your head around > the first time, > but it prevents private IPs from "leaking" between the LAN, > the Internet, > and the DMZ. (It took me 10 years of using IPFW to figure > this one out.) > > # Configure the general natd process for the LAN > natd -port $port2 -same_ports -use_sockets -alias_address > x.x.x.171 > > # Configure the natd process to NAT from x.x.x.170 to > 192.168.0.10 using > some port > natd -port $port1 -same_ports -use_sockets -alias_address > x.x.x.170 > -redirect_address x.x.x.170 192.168.0.10 > > # NAT the traffic coming from the LAN to x.x.x.170 > ipfw add divert $port1 ip from $LAN to x.x.x.170 in recv vr0 > ipfw add allow ip from $LAN to 192.168.0.10 in recv vr0 > > # NAT the traffic going to x.x.x.170 from the LAN > ipfw add divert $port2 ip from $LAN to 192.168.0.10 out xmit vr2 > ipfw add allow ip from x.x.x.171 to 192.168.0.10 out xmit vr2 > > # NAT the traffic coming from x.x.x.170 to the LAN > ipfw add divert $port1 ip from 192.168.0.10 to x.x.x.171 in > recv vr2 > ipfw add allow ip from 192.168.0.10 to $LAN in recv vr2 > > # NAT the traffic going to the LAN from x.x.x.170 > ipfw add divert ip from 192.168.0.10 to $LAN out xmit vr0 > ipfw add allow ip from x.x.x.170 t0 $LAN out xmit vr0 > > The general flow of the rules above is (src --> dest) > 10.0.0.x --> x.x.x.170 > 10.0.0.x --> 192.168.0.10 (after first NAT) > x.x.x.171 --> 192.168.0.10 (after second NAT) > > 192.168.0.10 --> x.x.x.171 > 192.168.0.10 --> 10.0.0.x (after first NAT) > x.x.x.170 --> 10.0.0.x (after second NAT) > > Notice how vr3 is never used in any of the rules above, as the > packets never > touch the public interface of the router. > > Hi, I set up firewall like this: $cmd flush ##LAN1 --> PUBLIC $cmd add divert $NATLANPORT ip from $LAN1 to $MYPUBLICIP via $PUBLICIF $cmd add allow ip from $LAN1 to $MYPUBLICIP via $PUBLICIF #NAT for LAN1 natd -port $NATLANPORT -same_ports -use_sockets -alias_address $MYPUBLICIP #NAT for DMZHOST1 natd -port $DMZHOST1PORT -same_ports -use_sockets -alias_address $DMZHOST1PUBLIC -redirect_address $DMZHOST1PUBLIC $DMZHOST1PRIVATE ##LAN1 --> DMZHOST1 #Traffic from LAN1 to DMZHOST1 - coming from LAN1 $cmd add divert $NATLANPORT ip from $LAN1 to $DMZHOST1PUBLIC in recv $LAN1IF $cmd add allow ip from $LAN1 to $DMZHOST1PRIVATE in recv $LAN1IF #Traffic to DMZHOST1 from LAN1 - going to DMZHOST1 $cmd add divert $DMZHOST1PORT ip from $LAN1 to $DMZHOST1PRIVATE out xmit $DMZIF $cmd add allow ip from $DMZHOST1PUBLIC to $DMZHOST1PRIVATE out xmit $DMZIF ##DMZHOST1 --> LAN1 #Traffic from DMZHOST1 to LAN1 - coming from DMZHOST1 $cmd add divert $DMZHOST1PORT ip from $DMZHOST1PRIVATE to $DMZHOST1PUBLIC in recv $DMZIF $cmd add allow ip from $DMZHOST1PRIVATE to $LAN1 in recv $DMZIF #Traffic to LAN1 from DMZHOST1 - going to LAN1 $cmd add divert $NATLANPORT ip from $DMZHOST1PRIVATE to $LAN1 out xmit $LAN1IF $cmd add allow ip from $DMZHOST1PUBLIC to $LAN1 out xmit $LAN1IF $cmd add allow ip from any to me $cmd add allow ip from me to any $cmd add deny ip from any to any But in fact it doesn't work - I am not able to connect to DMZ HOST1 public IP from LAN1. When I try to connect, I connect to router, not the DMZ HOST 1 In rc.conf I have only: natd_enable="YES" natd_interface="em0" em0 is my interface connected to public ISP DMZ HOST1 Public IP is set as an alias for em0 Can you have a look at my issue? Regards, -- Marek Salwerowicz