Date: Wed, 15 May 2002 10:19:14 -0400 From: "Miroslav Pendev" <shadow@CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com> To: "Neil Blakey-Milner" <nbm@mithrandr.moria.org> Cc: <freebsd-security@freebsd.org> Subject: Re: ipfw + nat + port_redirect - works, but not for the internal net Message-ID: <004701c1fc1b$7e4d3470$c801a8c0@vsivyoung> References: <030301c1fb56$ef9fefc0$c801a8c0@vsivyoung> <005501c1fb70$bb32ebb0$01000001@aragon> <042e01c1fb75$048699c0$c801a8c0@vsivyoung> <001101c1fb79$de1aafb0$01000001@aragon> <046401c1fb7d$4d0f32d0$c801a8c0@vsivyoung> <20020514194311.GA89260@mithrandr.moria.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Tue 2002-05-14 (15:26), Miroslav Pendev wrote:
> > Hi Aragon, thanks for the info
> > I will take a look at data(and sock)pipe.
> >
> > > Personally, what I'd do is simply connect directly to 192.168.1.100
instead
> > > of trying to go via your freebsd gateway.
> >
> > Yes, the direct access to 192.168.1.100:80 is Ok!
> > But here is what I have:
> >
> > Web server in *Internet* is serving web pages with some forms and then
> > the data is sent to the internal (behind the firewall)
> > apache + php server.
> > Everithing work just perfect for the clients
> > (hosts from internet) but it doesnt work for the people
> > in the internal network. I do not want to make a miror
> > site only because I dont know (for now) how to get this
> > working.
> >
> > Thanks anyway!
>
> Basically, I think you just need to make sure you NAT the traffic
> arriving on the internal interface.
>
> For example, if you have:
>
> add 7000 divert natd ip from any to any via ${extif}
>
> You probably need:
>
> add 7000 divert natd ip from any to any via ${extif}
> add 7005 divert natd ip from any to any via ${intif}
>
> I could be entirely wrong, but this works for me in about 12
> installations.
>
> Just make sure you're using 'unregistered_only', or some things get a
> bit confusing - "double NAT" causing all traffic to end up being from
> the alias address, not the specific redirect_address.
>
Hi Guys!
That did it!!! It works. I dont know if this is the *right way* for that
problem but it works!
Thanks to all of you guys for the advices that I did (or didn't;) try!
For the people looking for the answer of the same problem
in the mail archives - here is what I have in
rc.firewall (in my firewall type):
# this is the default entry for NAT to work
${fwcmd} add divert natd all from any to any via ${natd_interface}
# the new row for the internal hosts - thanks Neil
${fwcmd} add divert natd ip from any to any via ${iif}
-------------
I was able to redirect two ports: 21 -> 21 and 9090 -> 80
The redirection works for both ftp and http, Vladimir, thanks for
your advice, anyway!
There is some other ways to get *this* working but I do not have
the time to try now! May be this weekend ;-) who knows...
If some IPFW - NAT guru is reading this: I will appreciate
his opinion! So far I do not know better way...
Can we put the answer of this into FreeBSD Handbook
- or at least into FAQs?
Thanks, one more time, for your time guys!
Neil!, Vladimir, Carroll, Aragon, Michael (did I forgot somebody;)!
--Miro
"That's all folks!..." Have a nice IP Firewall-ing...
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?004701c1fc1b$7e4d3470$c801a8c0>