From owner-freebsd-questions@FreeBSD.ORG Thu Feb 5 22:16:15 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1235416A4CF for ; Thu, 5 Feb 2004 22:16:15 -0800 (PST) Received: from mail.8ball.co.za (8ball.co.za [192.96.48.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91DAA43DCD for ; Thu, 5 Feb 2004 22:16:08 -0800 (PST) (envelope-from nelis@8ball.co.za) Received: (qmail 37095 invoked by uid 89); 6 Feb 2004 06:16:05 -0000 Received: from unknown (HELO ?192.168.10.3?) (192.168.10.3) by 192.168.10.1 with SMTP; 6 Feb 2004 06:16:05 -0000 From: Nelis Lamprecht To: Jason Lavigne In-Reply-To: <008701c3ebe8$8df0e2a0$0501a8c0@canada> References: <008701c3ebe8$8df0e2a0$0501a8c0@canada> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-1lKgiA5sch9J0latko2l" Message-Id: <1076048162.274.276.camel@enigma.8ball.co.za> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Fri, 06 Feb 2004 08:16:02 +0200 cc: 'FreeBSD Questions Mail List' Subject: RE: ipf + ipnat + dmz + bridge question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: nelis@8ball.co.za List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Feb 2004 06:16:15 -0000 --=-1lKgiA5sch9J0latko2l Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2004-02-05 at 15:04, Jason Lavigne wrote: > Clever. I tried that and now I have found a different issue, I don't > know if ipnat is working correctly, I can browse the internet using my > LAN however the ipnat.rules are being completely ignored, I removed all > rules and I can still browse the Internet with my LAN and to me this is > odd. >=20 > Any ideas? Just one. Besides the usual kernel tunes the most important one for ipf to successfully work is IP Forwarding. Make sure you have this enabled. sysctl net.inet.ip.forwarding=3D1 >=20 > Thanks for your time. >=20 > Jay >=20 > -----Original Message----- > From: Nelis Lamprecht [mailto:nelis@8ball.co.za]=20 > Sent: Thursday, February 05, 2004 3:47 AM > To: Jason Lavigne > Cc: FreeBSD Questions Mail List > Subject: Re: ipf + ipnat + dmz + bridge question >=20 > On Thu, 2004-02-05 at 02:57, Jason Lavigne wrote: > > Hello all, > > =20 > > I currently have a firewall with 3 nics, one goes to the net, one to > the > > DMZ and one to the LAN. I have ipf and ipnat running along with > FreeBSD > > bridge support and I have the external nic and the DMZ nic bridged. > All > > DMZ computers are configured with a real public ip and have the > firewall > > as the gateway. > > =20 > > My question is when any computer from my DMZ goes out to the net it > uses > > the ip of the firewall and not the public ip it was assigned. > Internally > > within the DMZ they use the correct ips. How can I make it so when the > > DMZ computers are on the net they report as using their assigned ip. > Is > > the DMZ using ipnat? I only have the LAN mapped in ipnat.rules and > > nothing about the DMZ ips. > > =20 > > TIA > > =20 > > Jay > > =20 > > Here are my configs: > > =20 > > ifconfig > > =20 > > dc0: flags=3D8843 mtu 1500 > > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > > inet6 fe80::203:6dff:fe00:9bd%dc0 prefixlen 64 scopeid 0x1 > > ether 00:03:6d:00:09:bd > > media: Ethernet autoselect (100baseTX) > > status: active > > dc1: flags=3D8943 mtu > 1500 > > inet6 fe80::280:c6ff:feea:7af1%dc1 prefixlen 64 scopeid 0x2 > > inet xxx.yyy.200.99 netmask 0xfffffff0 broadcast > xxx.yyy.200.111 > > ether 00:80:c6:ea:7a:f1 > > media: Ethernet autoselect (100baseTX ) > > status: active > > xl0: flags=3D8943 mtu > 1500 > > options=3D3 > > inet6 fe80::250:daff:fe1b:90c3%xl0 prefixlen 64 scopeid 0x3 > > inet xxx.yyy.200.106 netmask 0xffffffff broadcast > > xxx.yyy.200.106 > > inet xxx.yyy.200.107 netmask 0xffffffff broadcast > > xxx.yyy.200.107 > > ether 00:50:da:1b:90:c3 > > media: Ethernet autoselect (10baseT/UTP) > > status: active > > lp0: flags=3D8810 mtu 1500 > > lo0: flags=3D8049 mtu 16384 > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > > inet 127.0.0.1 netmask 0xff000000 > > tun0: flags=3D8051 mtu 1492 > > inet xxx.yyy.200.97 --> 207.136.64.4 netmask 0xffffff00 > > Opened by PID 241 > > =20 > > /etc/ipnat.rules > > =20 > > # nat the lan > > map xl0 192.168.1.0/24 -> xxx.yyy.200.97/32 >=20 > try changing this to: >=20 > map xl0 from 192.168.1.0/24 ! to xxx.yyy.200.99/32 -> xxx.yyy.200.97/32 >=20 > which basically tells ipnat to always use NAT unless you are speaking > with your DMZ xxx.yyy.200.99/32 >=20 >=20 > Regards, --=20 Nelis Lamprecht PGP: http://www.8ball.co.za/pgp/nelis.key "Unix IS user friendly.. It's just selective about who its friends are." --=-1lKgiA5sch9J0latko2l Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQBAIzEiQfIMKiRMCrERAhnAAJ44I1NKg/7tSO9zD874hzadgBSNIACdEfWd 1lMAFzjYRtPItFuWR+4inEs= =7kWv -----END PGP SIGNATURE----- --=-1lKgiA5sch9J0latko2l--