From owner-freebsd-net@FreeBSD.ORG Sun Oct 14 21:28:40 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0D5816A418 for ; Sun, 14 Oct 2007 21:28:40 +0000 (UTC) (envelope-from mail@chdevelopment.se) Received: from av10-2-sn2.hy.skanova.net (av10-2-sn2.hy.skanova.net [81.228.8.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5437413C44B for ; Sun, 14 Oct 2007 21:28:40 +0000 (UTC) (envelope-from mail@chdevelopment.se) Received: by av10-2-sn2.hy.skanova.net (Postfix, from userid 502) id E0EEC38277; Sun, 14 Oct 2007 23:28:38 +0200 (CEST) Received: from smtp4-2-sn2.hy.skanova.net (smtp4-2-sn2.hy.skanova.net [81.228.8.93]) by av10-2-sn2.hy.skanova.net (Postfix) with ESMTP id C1B8338277; Sun, 14 Oct 2007 23:28:38 +0200 (CEST) Received: from melissa.chdevelopment.se (90-227-26-163-no68.tbcn.telia.com [90.227.26.163]) by smtp4-2-sn2.hy.skanova.net (Postfix) with ESMTP id 7570437E47; Sun, 14 Oct 2007 23:28:38 +0200 (CEST) Message-ID: <47128A06.40901@chdevelopment.se> Date: Sun, 14 Oct 2007 23:28:38 +0200 From: Christer Hermansson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.6) Gecko/20070811 SeaMonkey/1.1.4 MIME-Version: 1.0 To: jhall@vandaliamo.net References: <1598.65.117.48.155.1192215288.squirrel@admintool.trueband.net> In-Reply-To: <1598.65.117.48.155.1192215288.squirrel@admintool.trueband.net> Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-net@freebsd.org Subject: Re: NAT Questions X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Oct 2007 21:28:40 -0000 jhall@vandaliamo.net wrote: > Following is my configuration. > > External Interface------->Internal Interface--------> Rest of network > 1.2.3.4/24 10.129.10.40/24 > 1.2.3.5/32 Alias > > 1.2.3.5/24 is the IP address all http traffic will come in on. 1.2.3.4/32 > is the IP address all other traffic will come in on. Both of these > addresses reside on a single NIC with 1.2.3.5 being an alias. > > ipnat.rules > rdr 1.2.3.5/32 port 80 -> 10.129.10.49 port 80 > map em1 10.129.10.0/24 -> 0.0.0.0/32 > > 10.129.10.49 has 10.129.10.40 (my firewall) listed as its default gateway. > When it responds to a request that has been forwarded, how will the > firewall return the response? Will it return the request on 1.2.3.5? > > I think you should specify the interface and protocol as well, e.g. rdr xl0 1.2.3.5/32 port 80 -> 10.129.10.49 port 80 tcp The response will have 1.2.3.5 as source-address, the nat software remember that the translation/mapping was done on 1.2.3.5. I guess you have already added gateway_enable="YES" to the file /etc/rc.conf However, it's very bad to let people in to your protected network, if they can fool your webserver they have control over a internal machine. If the 10.129.10.0/24 is a DMZ, used only for web/mail etc this is of course okey to do. -- Christer Hermansson