Date: Fri, 30 Sep 2011 16:57:15 +0200 From: Marek Salwerowicz <marek_sal@wp.pl> To: Freddie Cash <fjwcash@gmail.com>, freebsd-net@freebsd.org Subject: Re: ipfw - accessing DMZ from LAN Message-ID: <4E85D8CB.6010104@wp.pl> In-Reply-To: <4E84DE26.6030103@misal.pl> References: <4E412116.1070305@wp.pl> <CAOjFWZ4B3uUfOLAzL=B1WY98rqi6X32j7FM61VjJ3td76NkADg@mail.gmail.com> <4E422A74.3090601@wp.pl> <CAOjFWZ5CK62nQMA8JsfW1b4BQh3hAJbAAynortzaUBqSWBwdSQ@mail.gmail.com> <4E7B450F.5050802@wp.pl> <CAOjFWZ6wf9NnVeffUV4uA6h1t-1T8juxXycZbM7%2BGgpFC-HkUg@mail.gmail.com> <4E84B447.7010509@wp.pl> <CAOjFWZ4XOU2dT3%2BL6AJeUNO7QcC=0ymLXN3GMkzCuoB3a1Qyew@mail.gmail.com> <4E84DE26.6030103@misal.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
W dniu 2011-09-29 23:07, Marek Salwerowicz pisze: > So eg. the rules specifying traffic between DMZ Host and LAN could be > the first, and then rules for "generic" DMZ host traffic (allowing DMZ > access to the Internet)? > So far I made like this (first DMZ-LAN, then DMZ), but I have some > problem: > > ipfw add 200 divert $DMZHOST1PORT ip from $DMZHOST1 to any in recv $DMZIF > ipfw add 205 allow ip from $DMZHOST1 to any in recv $DMZIF > > ipfw add 210 divert $DMZHOST1PORT ip from $DMZHOST1 to any out xmit > $PUBLICIF > ipfw add 215 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF > > ipfw add 220 divert $DMZHOST1PORT ip from any to $DMZHOST1PUB in recv > $PUBLICIF > ipfw add 225 allow ip from any to $DMZHOST1 in recv $PUBLICIF > > ipfw add 230 divert $DMZHOST1PORT ip from any to $DMZHOST1 out xmit > $DMZIF > ipfw add 235 allow ip from any to $DMZHOST1 out xmit $DMZIF > > The DMZ host has access to Internet (and is visible as public IP > dedicated for that host, so it's what I wanted), but when I connect > from the Internet to DMZ host (eg. ssh), I see that the connection > comes from itself (DMZ host public IP), instead of real public IP > address. > I think that I've overNATed something. > I've answered myself: <removed rule 200> ipfw add 205 allow ip from $DMZHOST1 to any in recv $DMZIF ipfw add 210 divert $DMZHOST1PORT ip from $DMZHOST1 to any out xmit $PUBLICIF ipfw add 215 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF ipfw add 220 divert $DMZHOST1PORT ip from any to $DMZHOST1PUB in recv $PUBLICIF ipfw add 225 allow ip from any to $DMZHOST1 in recv $PUBLICIF <removed rule 230> ipfw add 235 allow ip from any to $DMZHOST1 out xmit $DMZIF So I just removed rules responsible for NAT at $DMZIF and left only NAT at $PUBLICIF. But now there is next problem - when I try to ping /ssh from router to $DMZPUBLICIP, I connect to myself, instead of DMZ host..
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E85D8CB.6010104>