Date: Tue, 14 May 2002 15:26:49 -0400 From: "Miroslav Pendev" <shadow@CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com> To: "Aragon Gouveia" <aragon@phat.za.net> Cc: <freebsd-security@freebsd.org> Subject: Re: ipfw + nat + port_redirect - works, but not for the internal net Message-ID: <046401c1fb7d$4d0f32d0$c801a8c0@vsivyoung> References: <030301c1fb56$ef9fefc0$c801a8c0@vsivyoung> <005501c1fb70$bb32ebb0$01000001@aragon> <042e01c1fb75$048699c0$c801a8c0@vsivyoung> <001101c1fb79$de1aafb0$01000001@aragon>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Aragon, thanks for the info I will take a look at data(and sock)pipe. > Personally, what I'd do is simply connect directly to 192.168.1.100 instead > of trying to go via your freebsd gateway. Yes, the direct access to 192.168.1.100:80 is Ok! But here is what I have: Web server in *Internet* is serving web pages with some forms and then the data is sent to the internal (behind the firewall) apache + php server. Everithing work just perfect for the clients (hosts from internet) but it doesnt work for the people in the internal network. I do not want to make a miror site only because I dont know (for now) how to get this working. Thanks anyway! --Miro > > If I really really needed to go via the freebsd gateway and I couldn't get > ipfw fwd working, I guess I'd try running datapipe. It's available from > ports, but bare in mind it's not very stable. If you can find a program > called sockpipe, it's much stabler than datapipe, but can't bind to a > specific IP like datapipe can. > > > Regards, > Aragon > > > ----- Original Message ----- > From: "Miroslav Pendev" > <shadow@CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com> > To: "Aragon Gouveia" <aragon@phat.za.net> > Cc: <freebsd-security@freebsd.org> > Sent: Tuesday, May 14, 2002 8:27 PM > Subject: Re: ipfw + nat + port_redirect - works, but not for the internal > net > > > > Yes, I recompiled the kernel with options IPFIREWALL_FORWARD > > I even I made some tests but with no success with the following > > in rc.firewall (24.24.24.24 is not my real ext. IP): > > > > ${fwcmd} add fwd 24.24.24.24,9090 tcp from any to 192.168.1.100 80 in > > > > It seems to be what I need but... > > > > I have one stupid Linksys Cable&DSL router with NAT > > and from the internal network I can access redirected port > > on the external interface to internal host: > > this is what I need to do, but with FreeBSD firewall. > > > > So it seems that this is not a big problem, I just > > do not know how to get it work. > > > > --Miro > > > > > > > Howdy, > > > > > > Have you tried an ipfw fwd rule? > > > > > > > > > Regards, > > > Aragon > > > > > > ----- Original Message ----- > > > From: "Miroslav Pendev" > > > <shadow@CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com> > > > To: <freebsd-security@freebsd.org> > > > Sent: Tuesday, May 14, 2002 4:52 PM > > > Subject: ipfw + nat + port_redirect - works, but not for the internal > net > > > > > > > > > > Hi Guys! > > > > > > > > I have FreeBSD 4.5 RELEASE as Firewall with two NICs: > > > > > > > > xl0 - external interface > > > > xl1 - internal interface > > > > > > > > ipfw and natd + port_redirect works just fine! > > > > > > > > My problem is that when someone from the internal network > > > > is trying to hit external_IP:redirected_port, the redirection > > > > is not working for him - connection refused. > > > > It works only for host from outside (Internet). > > > > > > > > For simplicity lets assume that the firewall type is *open*. > > > > > > > > What rules to ipfw or natd I need in order to permit > > > > the port redirection to works for the internal hosts, also? > > > > > > > > I RTFM, I search the archives but I didn't found a clear > > > > answer to that situation. > > > > > > > > This is common problem to the corporate servers behind > > > > firewalls_with_natd_and_redirected_port and probably deserve > > > > to be into FreeBSD handbook - otherwise, good documentation! > > > > > > > > There is some security concerns *is port_redirection a good idea > > > > at all*, but that's it I need this working - don't ask why ;-) > > > > > > > > Thanks in advance! > > > > > > > > --Miro > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?046401c1fb7d$4d0f32d0$c801a8c0>