From owner-freebsd-questions Wed Mar 6 7:16: 5 2002 Delivered-To: freebsd-questions@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id B432937B400 for ; Wed, 6 Mar 2002 07:16:01 -0800 (PST) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16idCj-000LSv-00 for freebsd-questions@FreeBSD.org; Wed, 06 Mar 2002 17:19:45 +0200 From: Sheldon Hearn To: freebsd-questions@FreeBSD.org Subject: Re: Internal hosts communicating with external addresses through firewall In-reply-to: Your message of "Wed, 06 Mar 2002 16:59:33 +0200." <82413.1015426773@axl.seasidesoftware.co.za> Date: Wed, 06 Mar 2002 17:19:45 +0200 Message-ID: <82516.1015427985@axl.seasidesoftware.co.za> Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 06 Mar 2002 16:59:33 +0200, Sheldon Hearn wrote: > I've been using IPFW with one of ipnat and natd for a while, but have > never managed to figure out what it takes to allow internal hosts (with > private addresses NAT'd to public addresses with a 1:1 mapping) to > communicate with each other using their public addresses? [...] > Can this be done? If so, is there more to it than just firewall rules? > > The obvious idea of just using IPFW log on my deny rule to see where > things are going wrong doesn't seem feasible, because this would > generate a HUGE amount of logging information, even for a few minutes. Actually, I had a brainstorm after I sent the message, and added the following rules to the end of my ruleset to see if I could find where the packets were being denied: # Public address (hostname) Private address # Web server: w.x.y.z (www.example.com) 10.0.0.100 # Dev server: s.t.u.v (dev.example.com) 10.0.0.101 # deny log tcp from s.t.u.v to any 80 deny log tcp from any 80 to 10.0.0.101 deny log tcp from w.x.y.z 80 to any deny log tcp from any to 10.0.0.100 80 deny log tcp from 10.0.0.101 to any 80 deny log tcp from 10.0.0.100 80 to any deny log tcp from any 80 to s.t.u.v deny log tcp from any to w.x.y.z 80 None of these rules resulted in any /var/log/security messages with net.inet.ip.fw.verbose=1, and I _have_ checked that logging to that file does actually work. :-) This makes me think there's more to this than just firewall rules. None Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message