Date: Tue, 19 Sep 2000 21:36:27 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: Konan Houphoue <bahobab@hotmail.com> Cc: ari@suutari.iki.fi, marcs@draenor.org, archie@whistle.com, freebsd-net@freebsd.org Subject: Re: Port 80 redirect: Good news!! Message-ID: <20000919213627.N367@149.211.6.64.reflexcom.com> In-Reply-To: <F43ui3hHnLOh1GSuHjW0000e994@hotmail.com>; from bahobab@hotmail.com on Tue, Sep 19, 2000 at 01:35:56PM -0500 References: <F43ui3hHnLOh1GSuHjW0000e994@hotmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Sep 19, 2000 at 01:35:56PM -0500, Konan Houphoue wrote:
> Crist,
>
> This is my "creation" out of desperation. THese rules are not being used.
>
> -----------
> #My rules
> #${fwcmd} add pass tcp from ${oip} to ${inet}:${imask} 80 in via ${iip}
> setup
> #${fwcmd} add pass tcp from ${oif} to any in via ${iif} setup
> -----------
>
> What do you think about the points made by Ben?
I am not on -net either and did not get CC'ed. But I looked up the
thread. It looks like he recommended you add the same rule I
did. However, his next remarks are in error.
Given the same conventions for the outer interface and IP, and the
inner interface and IP, this is what NAT does,
incoming request:
192.0.2.132:2014 -> ${oip}:80 == NAT ==> 192.0.2.132:2014 -> 192.168.1.40:80
outgoing reply:
192.168.1.40:80 -> 192.0.2.132:2014 == NAT ==> ${oip}:80 -> 192.0.2.132:2014
That is the external address that is the source of the query is not
translated. Only your end of the transaction is translated.
> It should be a standard and (somehow) easy rules to do what I'm planning to
> to. I don't think I am the first person to do this, am I?
*grin*
It _is_ easy, adding that one rule _should_ fix things. People ask
questions like this all of the time. The problem is that it is not
possible to write a set of generic rules that are (a) as secure
(i.e. as strict) as possible yet (b) allow through any traffic anyone
might want to be passing for their setup.
The logical course is to make the rules as reasonably strict as they
can be and then have each individual poke the extra holes they need..
In your case, not only are you poking a hole for port 80, but you are
doing NAT, _and_ a redirect. That makes it a little more fun, but not
too tough.
> How do I join the FreeBSD-net discussion thread?
I believe it is like joining any other list. However, you might
actually be best served by,
freebsd-ipfw@freebsd.org
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000919213627.N367>