Date: Tue, 10 Apr 2001 12:03:31 -0400 From: "Elliott Perrin" <eperrin@bigorbit.com> To: "Roger Svenning" <ros@switch.no>, "'freebsd-questions@freebsd.org'" <freebsd-questions@FreeBSD.ORG> Subject: Re: routed, natd & ipfirewall [config help needed] Message-ID: <01de01c0c1d7$cd3584e0$8701a8c0@bottleneck2000> References: <E13BBFD5DA06D411ADC600508BC25BF714426C@switch01.switch.no>
next in thread | previous in thread | raw e-mail | index | archive | help
I will dig up the rc.firewall replacement I was using and fire it off to you, it was
designed for use with a DMZ
----- Original Message -----
From: "Roger Svenning" <ros@switch.no>
To: "'Elliott Perrin'" <eperrin@bigorbit.com>; "'freebsd-questions@freebsd.org'"
<freebsd-questions@FreeBSD.ORG>
Sent: Tuesday, April 10, 2001 10:58 AM
Subject: SV: routed, natd & ipfirewall [config help needed]
> Ok, running natd with -u solved the problem. THNX :)
>
> Some advice on how to set up ipfw with the DMZ would be appreciated :-)
>
> -Roger
>
> > -----Opprinnelig melding-----
> > Fra: Roger Svenning
> > Sendt: 10. april 2001 16:50
> > Til: 'Elliott Perrin'; 'freebsd-questions@freebsd.org'
> > Emne: SV: routed, natd & ipfirewall [config help needed]
> >
> >
> > Hi
> >
> > I know that 217.8.130.32/27 is routed properly because it
> > worked when I used
> > it behind natd with redirect_address
> > And the fact that i get "From c12969.catch.sdsl.no (217.8.129.69):
> > Destination Host Unreachable" when trying to reach a live DMZ
> > address tells
> > us that the ISP is forwarding the request to our router.
> >
> > I'm no expert in setting up ipfw and I would need some advice
> > on how to
> > restrict access to the local network trough the dmz zone,
> > else an intruder
> > which gains access to one of the dmz machine would easily go
> > from there to
> > our local network.
> >
> > Running routed, natd and ipfw is a bit confusing as I do not
> > know in which
> > order the different daemons are handling the packets.
> >
> > Just for testing purposes i have "allow ip from any to any"
> > in ipfw which
> > should enable packets to go from xl2 to xl1 ?
> >
> > -Roger
> >
> > > -----Opprinnelig melding-----
> > > Fra: Elliott Perrin [mailto:eperrin@bigorbit.com]
> > > Sendt: 10. april 2001 16:55
> > > Til: Roger Svenning; 'freebsd-questions@freebsd.org'
> > > Emne: Re: routed, natd & ipfirewall [config help needed]
> > >
> > >
> > > You have to make sure that your ISP is routing your subnet to
> > > your host (possible problem,
> > > first place to look)
> > >
> > > If the ISP is not routing the 217.8.130.32/27 subnet that you
> > > are assigned to your
> > > 217.8.129.69 interface sitting on their network then the
> > > problem is there. (I actually had
> > > this problem with our last ISP, they kept removing the routes
> > > from a router and had a
> > > Junior Admin that didn't understand why they had to be there)
> > >
> > > If they are doing that already then you probably have a
> > > problem with the rules in IPFW and
> > > NATD
> > >
> > > Make sure that you run NATD with the -u option, which will
> > > translate addresses only for
> > > unregistered (RFC1918) addresses and that NATD is running on
> > > the external interface (in
> > > your layout the 217.8.129.69 interface)
> > >
> > > Check through your IPFW rules to make sure you are allowing
> > > your DMZ out to the world,
> > >
> > > eg.
> > >
> > > allow all from {DMZ} to any
> > >
> > > (don't use that rule!!!!!, it is just an example)
> > >
> > > Aside from that I have a modified rc.firewall that I used
> > > when I was still running IPFW on
> > > a three interfaced machine with LAN, DMZ and link to our ISP.
> > > Let me know if you want it.
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Roger Svenning" <ros@switch.no>
> > > To: "'freebsd-questions@freebsd.org'"
> > <freebsd-questions@FreeBSD.ORG>
> > > Sent: Tuesday, April 10, 2001 10:15 AM
> > > Subject: routed, natd & ipfirewall [config help needed]
> > >
> > >
> > > > Hi
> > > >
> > > > I've been running a box with natd & ipfw for connecting our
> > > local network to
> > > > the internet and it works just fine.
> > > >
> > > > Now I want to set up a DMZ zone for servers that should
> > be connected
> > > > directly to the net without NAT
> > > > I've added a third network card and enabled routed, but ..
> > > taadaa .. it
> > > > doesn't work quite as expected :-)
> > > >
> > > > The DMZ zone can be reached from the gateway itself and
> > the internal
> > > > network, but not from the internet.
> > > > The routing from xl2 to xl0 trough natd works just fine.
> > > >
> > > > Can any1 give me some advice on how to set this configuration up ?
> > > >
> > > > Here's the network layout:
> > > >
> > > > 217.8.129.70 (ISP gateway)
> > > > |
> > > > -> 217.8.129.69 (xl2 interface)(255.255.255.252)
> > > > |
> > > > -> 217.8.130.62 (xl1 interface)(255.255.255.224) -> DMZ zone
> > > > |
> > > > -> 10.0.1.1 (xl0 interface)(255.255.255.0) -> Local network
> > > >
> > > > Roger O. Svenning
> > > >
> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > > > with "unsubscribe freebsd-questions" in the body of the message
> > > >
> > >
> >
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-questions" in the body of the message
> >
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?01de01c0c1d7$cd3584e0$8701a8c0>