Date: Wed, 06 Mar 2002 17:19:45 +0200 From: Sheldon Hearn <sheldonh@starjuice.net> To: freebsd-questions@FreeBSD.org Subject: Re: Internal hosts communicating with external addresses through firewall Message-ID: <82516.1015427985@axl.seasidesoftware.co.za> In-Reply-To: Your message of "Wed, 06 Mar 2002 16:59:33 %2B0200." <82413.1015426773@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 06 Mar 2002 16:59:33 +0200, Sheldon Hearn wrote: > I've been using IPFW with one of ipnat and natd for a while, but have > never managed to figure out what it takes to allow internal hosts (with > private addresses NAT'd to public addresses with a 1:1 mapping) to > communicate with each other using their public addresses? [...] > Can this be done? If so, is there more to it than just firewall rules? > > The obvious idea of just using IPFW log on my deny rule to see where > things are going wrong doesn't seem feasible, because this would > generate a HUGE amount of logging information, even for a few minutes. Actually, I had a brainstorm after I sent the message, and added the following rules to the end of my ruleset to see if I could find where the packets were being denied: # Public address (hostname) Private address # Web server: w.x.y.z (www.example.com) 10.0.0.100 # Dev server: s.t.u.v (dev.example.com) 10.0.0.101 # deny log tcp from s.t.u.v to any 80 deny log tcp from any 80 to 10.0.0.101 deny log tcp from w.x.y.z 80 to any deny log tcp from any to 10.0.0.100 80 deny log tcp from 10.0.0.101 to any 80 deny log tcp from 10.0.0.100 80 to any deny log tcp from any 80 to s.t.u.v deny log tcp from any to w.x.y.z 80 None of these rules resulted in any /var/log/security messages with net.inet.ip.fw.verbose=1, and I _have_ checked that logging to that file does actually work. :-) This makes me think there's more to this than just firewall rules. None Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?82516.1015427985>