From owner-freebsd-ipfw@FreeBSD.ORG Thu Aug 2 18:51:57 2007 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B41E316A420 for ; Thu, 2 Aug 2007 18:51:57 +0000 (UTC) (envelope-from gabriele@sssup.it) Received: from sssup.it (ms01.sssup.it [193.205.80.99]) by mx1.freebsd.org (Postfix) with ESMTP id 42EFF13C461 for ; Thu, 2 Aug 2007 18:51:57 +0000 (UTC) (envelope-from gabriele@sssup.it) Received: from [193.205.82.25] (HELO [127.0.0.1]) by sssup.it (CommuniGate Pro SMTP 4.1.8) with ESMTP-TLS id 32505232; Thu, 02 Aug 2007 19:42:31 +0200 Message-ID: <46B219B9.2060706@sssup.it> Date: Thu, 02 Aug 2007 19:51:53 +0200 From: Gabriele Cecchetti User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: freebsd-ipfw@freebsd.org, Luigi Rizzo Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: ipfw natd and carp for redundant server X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2007 18:51:57 -0000 Hi! I had setup the following network: |- ServerF2 (if_wan0: 0x.y.z.2) Internet_Router|---| (if_carp0: x.y.z.6) | |- ServerF3 (if_wan0: x.y.z.3) | |------ServerG (if_lan0: 10.30.3.x) Server F2 and F3 have a carp interface configured for (high) avaibility, with address x.y.z.6 Server F2 and F3 have a Web server which listen on port 80. I need to reach some services of internal servel from outside network (es. ssh, cvs, etc.) What I have done in /etc/ipfw.rules: (It is not a secure configuration! Just to the test what I need!) # flush # # Setup loopback # add 100 pass all from any to any via lo0 add 200 deny all from any to 127.0.0.0/8 add 300 deny ip from 127.0.0.0/8 to any # # Allow important services through unmodified address and ports # add 900 allow tcp from any to any 80,443 # # Divert # add 1100 divert natd ip4 from any to any via wan0 # # Default: allow everything # add 65000 allow ip from any to any and for /etc/natd.conf # interface wan0 same_ports use_sockets log # # Server G # redirect_port tcp 10.30.3.4:22 44022 redirect_port tcp 10.30.3.4:993 44993 redirect_port tcp 10.30.3.4:2401 2401 redirect_port tcp 10.30.3.4:9418 9418 ###################################### With this configuration I reach the serverG from Internet just if I use the address x.y.z.2 (or x.y.z.3 which is a clone of the .2 machine). I would like to reach the serverG with the address x.y.z.6 which is the common redundant address. Any idea or suggestion ?