Date: Tue, 3 Oct 2000 01:24:53 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Dan Yergeau <yergeau@gloworm.Stanford.EDU> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: NAT, firewall, public and private subnets Message-ID: <20001003012453.S25121@149.211.6.64.reflexcom.com> In-Reply-To: <200010022325.QAA18676@gloworm.Stanford.EDU>; from yergeau@gloworm.Stanford.EDU on Mon, Oct 02, 2000 at 04:25:19PM -0700 References: <200010022325.QAA18676@gloworm.Stanford.EDU>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 02, 2000 at 04:25:19PM -0700, Dan Yergeau wrote:
>
> I've got a 5 static-IP DSL connection, and I'm wanting to set up a
> freebsd-4.1 box with 2 NICs to be the firewall for the public
> addresses and a NAT box/firewall for both a private net. For
> simplicity in discussion, let's call the public address space
> P.U.B.* (with netmask 255.255.255.248), the private IP address space
> p.v.t.* (with netmask 255.255.255.0; in this case,p=192 and v=168),
> and the two network interfaces pvt0 and pub1.
>
> The 5 public IP's are P.U.B.19[45678]
>
> I've tried
>
> 1) DSL <==> pub1/freebsd/pvt0 <==> switch <==> both public and private
> pub1 is P.U.B.194
> pvt0 is p.v.t.99 (used as the gateway for the public and private
> machines)
> natd -n pub1
>
> private address machines worked fine
> public address machines couldn't find the gateway
Well, how did you set up your subnetting for this? I assume you did
not since it renders most of your registered IPs useless and since you
did not get it to work.
> I suppose I could add a third NIC and a switch to separate the
> firewalled public and private nets, but it isn't clear how to
> configure the freebsd box to NAT one interface, but not the
> other.
This will not help the routing issue.
> I also tried to add an public IP alias on pvt0 (i.e. P.U.B.195
> and to use that as the gateway for the public IP machines, but
> wasn't successful in getting the internal public IP machines
> routed to the internet).
Not sure what that means.
I really, really hate to bring this up, but if you are set on
firewalling your public IPs (but your redirect idea below is much
better), you probably will have to resort to bridging. Unfortunately,
running ipfw on a bridge is a kludge. And I can just picture you doing
NAT while running an ipfw'ed bridge... I think hearing that someone is
actually doing that could physically kill me. Seriously.
> 2) DSL <==> pub1/freebsd/pvt0 <==> switch <==> all machines with private IP
> pub1 is P.U.B.194 with aliases of P.U.B.19[5678]
> pvt0 is p.v.t.99 (used as the gateway for the public and private
> machines)
> natd -n pub1 -f /etc/natd.conf
>
> /etc/natd.conf had redirect_address entries for the 4 remaining
> public IP's, mapping each of p.v.t.19[5678] to the equivalent
> P.U.B.19[5678]
This sounds like the best way to go.
> The only glitch here appeared to be that the freebsd box and
> private IP machines couldn't get through to the public IP of the
> 4 remaining public IP's. I suppose that I could do an internal
> DNS server to remap hostnames to the private IP addresses, but
> that seem like a hack. I also didn't test tapping into
> AFS/kerberos, which doesn't get along well with translated IP
> addresses.
Oh, boy. This comes up _again?!_ Second reply on this
tonight. Internal packets bound for the machine itself are accepted by
the machine before they get processed by the external
interface. Therefore they never get run through NAT.
However, I think this should only be a problem for the NAT machine's
"true" public IP. IIRC, you do _not_ need to alias the external
interface of the NAT machine to the other addresses,
P.U.B.19[5678]. Redirects from internal machines should work fine if
the interface is not aliased. The machine will try to route the
packets to the outside, so they are processed on the external
interface and redirected (and incoming traffic from the outside should
sill work without the aliases).
> 3) A "no firewall" config
> DSL <==> switch <==> {pvt0,pub1}/freebsd & other public/private machines
>
> I'd really need to get another switch for this to work correctly
> (lots of "arp: P.U.B.19[45678] is on pub1, but got reply from
> <hardware-addr> on pvt0"; and private net DHCP is flakey). So,
> it would really optimally/correctly be
>
> <==> other public IP machines
> /
> DSL <==> switch <==> pub1/freebsd/pvt0 <==> switch#2 <==> private IP machines
>
> Unfortunately, this setup doesn't stick a firewall between the
> other public machines and the internet.
This is a fundamentally broken configuration. Work on one of the
others.
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001003012453.S25121>