Date: Sun, 14 Oct 2007 23:28:38 +0200 From: Christer Hermansson <mail@chdevelopment.se> To: jhall@vandaliamo.net Cc: freebsd-net@freebsd.org Subject: Re: NAT Questions Message-ID: <47128A06.40901@chdevelopment.se> In-Reply-To: <1598.65.117.48.155.1192215288.squirrel@admintool.trueband.net> References: <1598.65.117.48.155.1192215288.squirrel@admintool.trueband.net>
next in thread | previous in thread | raw e-mail | index | archive | help
jhall@vandaliamo.net wrote: > Following is my configuration. > > External Interface------->Internal Interface--------> Rest of network > 1.2.3.4/24 10.129.10.40/24 > 1.2.3.5/32 Alias > > 1.2.3.5/24 is the IP address all http traffic will come in on. 1.2.3.4/32 > is the IP address all other traffic will come in on. Both of these > addresses reside on a single NIC with 1.2.3.5 being an alias. > > ipnat.rules > rdr 1.2.3.5/32 port 80 -> 10.129.10.49 port 80 > map em1 10.129.10.0/24 -> 0.0.0.0/32 > > 10.129.10.49 has 10.129.10.40 (my firewall) listed as its default gateway. > When it responds to a request that has been forwarded, how will the > firewall return the response? Will it return the request on 1.2.3.5? > > I think you should specify the interface and protocol as well, e.g. rdr xl0 1.2.3.5/32 port 80 -> 10.129.10.49 port 80 tcp The response will have 1.2.3.5 as source-address, the nat software remember that the translation/mapping was done on 1.2.3.5. I guess you have already added gateway_enable="YES" to the file /etc/rc.conf However, it's very bad to let people in to your protected network, if they can fool your webserver they have control over a internal machine. If the 10.129.10.0/24 is a DMZ, used only for web/mail etc this is of course okey to do. -- Christer Hermansson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47128A06.40901>