From owner-freebsd-ipfw Wed Aug 7 15: 8:33 2002 Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CB1C37B400 for ; Wed, 7 Aug 2002 15:08:30 -0700 (PDT) Received: from kali.avantgo.com (shadow.avantgo.com [64.157.226.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CC3043E70 for ; Wed, 7 Aug 2002 15:08:30 -0700 (PDT) (envelope-from cforsythe@avantgo.com) X-MimeOLE: Produced By Microsoft Exchange V6.0.5762.3 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Subject: ipfw+nat rules question Date: Wed, 7 Aug 2002 15:08:25 -0700 Message-ID: <4C4CB317C3CD6A40AAF9B1C7686696699018C7@kali.avantgo.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: ipfw+nat rules question Thread-Index: AcI+XvNdwQ3bt9JNQoiJVJ64DPcsXQ== From: "Carl Forsythe" To: Sender: owner-freebsd-ipfw@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi folks, Some questions about rule processing with ipfw and natd, if this is = better suited for -questions let me know and I'll send it off to there. Ok the situation/network layout is thus: Box A provides NAT/ipfw services to Box B which is on a private network, = Box A is dual homed to Net A and Net B. Box B has certain services on it = that need to be accessible to a block of addresses only, or in some = cases only a certain other server. Box B also has a requirement that it = needs to make outbound requests to an external service provider. Box A = acts as the default gateway for Box B. Net A is firewalled from the = internet by another firewall entirely. I setup an aliased IP on Box A to represent Box B to the machines that = need to talk to it. Was this necessary for external servers to talk to = Box B, or would normal port redirection be sufficient in this case? I do = however want Box B to be pingable for our monitoring system which = resides out on Net A. So the questions I have at this point: 1) Using the redirect_port function of natd, can I specify a network = with mask instead of a host for the third argument? i.e. redirect_port = tcp Box_B:80 Box_A_Alias:80 Net_A/24 Failing the above, where in the ipfw ruleset would I place any rules for = traffic destined to Box B, before the natd divert or after it? If after = the divert, what IP address do I use? the external Box A alias, or the = translated Box B address? What does the source address look like after = the divert? Has it been translated to Box A's Net B address at that = point? /sbin/ipfw add pass tcp from Net A/24 to ??? 80 setup So to sum it up, Box B has a limited number of services that only need = to be available to servers that are on Net A. Box A provides NAT/ipfw = services to Box B. Box B needs to be able to talk to an external web = server(s), Box B needs to be able to resolve DNS, Box B needs to talk to = our NTP server. What I'm not grasping is what address to use in the ipfw rules to = identify Box B and where in the rules to place those checks, before the = natd divert using the external alias address or after the divert using ? Thanks in advance for any help, Carl Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message