Date: Thu, 29 Sep 2011 20:09:11 +0200 From: Marek Salwerowicz <marek_sal@wp.pl> To: Freddie Cash <fjwcash@gmail.com>, freebsd-net@freebsd.org Subject: Re: ipfw - accessing DMZ from LAN Message-ID: <4E84B447.7010509@wp.pl> In-Reply-To: <CAOjFWZ6wf9NnVeffUV4uA6h1t-1T8juxXycZbM7%2BGgpFC-HkUg@mail.gmail.com> References: <4E412116.1070305@wp.pl> <CAOjFWZ4B3uUfOLAzL=B1WY98rqi6X32j7FM61VjJ3td76NkADg@mail.gmail.com> <4E422A74.3090601@wp.pl> <CAOjFWZ5CK62nQMA8JsfW1b4BQh3hAJbAAynortzaUBqSWBwdSQ@mail.gmail.com> <4E7B450F.5050802@wp.pl> <CAOjFWZ6wf9NnVeffUV4uA6h1t-1T8juxXycZbM7%2BGgpFC-HkUg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
W dniu 2011-09-26 21:20, Freddie Cash pisze:
>
> Your rules are too generic, they will not work for a double-NAT setup.
> Each and every single rule must specify the network interface. And it must
> specify whether it's incoming (in recv) or outgoing (out xmit) traffic.
> Don't use "via" anywhere.
>
> While it's easier to use generic rules to start with, you really need to get
> very specific, at least for the double-NAT setup.
>
> See my example above.
>
I look at it but I have problems with understanding the rules.
So far I understand the double-NAT like:
1. There are two NAT instances, one for LAN, the other for DMZ host
(with public address redirection to DMZ private IP). The first is
$lanport, the other $dmzport. The LAN interface is $LANIF, the DMZ
interface is $DMZIF
2. When client from LAN wants to connect to DMZ host, using DMZ public
IP *only*, the packet goes like this:
i. the packet is allowed to enter the router by DMZ NAT port
($dmzport) and $LANIF:
ipfw add divert $dmzport ip from $LAN to $DMZ_PUBLIC_IP in recv
$LANIF
ipfw add allow ip from $LAN to $DMZ_PUBLIC_IP in recv $LANIF
<--- why in your example are you using PRIVATE_IP instead of PUBLIC?
ii. the packet is redirected to go out to DMZ, using DMZ NAT port:
ipfw add divert $dmzport ip from $LAN to $DMZ_PRIVATE_IP out
xmit $DMZIF
ipfw add allow ip from $ROUTER_PUBLIC_IP to $DMZ_PRIVATE_IP out
xmit $DMZIF
3. When DMZ host wants to connect with LAN client:
i. the packet goes to router by DMZ NAT port and $DMZIF:
ipfw add divert $dmzport ip from $DMZ_PRIVATE_IP to
$ROUTER_PUBLIC_IP in recv $DMZIF
ipfw add allow ip from $DMZ_PRIVATE_IP to $LAN in recv $DMZIF
ii. the packet is redirected to LAN (using _which_ NAT port? For
LAN or DMZ? )
ipfw add divert $lanport (I am *not* sure here) from
$DMZ_PRIVATE_IP to $LAN out xmit $LANIF
ipfw add allow ip from $DMZ_PUBLIC_IP to $LAN out xmit $LANIF
4. Is it OK ? What's the port in 3.ii step ?
If I want also to set up NAT rules for my LAN (to allow it to access
the Internet, and router), and also for my DMZ hosts (also for the
Internet), what should be the order of rules?
First 'LAN-DMZ', then 'DMZ', then 'LAN' ?
Regards,
--
Marek Salwerowicz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E84B447.7010509>