Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 02 Aug 2007 19:51:53 +0200
From:      Gabriele Cecchetti <gabriele@sssup.it>
To:        freebsd-ipfw@freebsd.org, Luigi Rizzo <rizzo@icir.org>
Subject:   ipfw natd and carp for redundant server
Message-ID:  <46B219B9.2060706@sssup.it>

Next in thread | Raw E-Mail | Index | Archive | Help
Hi!

I had setup the following network:

                    |- ServerF2 (if_wan0: 0x.y.z.2)
Internet_Router|---|                               (if_carp0: x.y.z.6)
                |   |- ServerF3 (if_wan0: x.y.z.3)
                |
                |------ServerG (if_lan0: 10.30.3.x)

Server F2 and F3 have a carp interface
configured for (high) avaibility,
with address x.y.z.6

Server F2 and F3 have a Web server which listen on port 80.

I need to reach some services of internal servel from outside network 
(es. ssh, cvs, etc.)

What I have done in /etc/ipfw.rules:
(It is not a secure configuration! Just to the test what I need!)
#
flush
#
# Setup loopback
#
add 100 pass all from any to any via lo0
add 200 deny all from any to 127.0.0.0/8
add 300 deny ip from 127.0.0.0/8 to any
#
# Allow important services through unmodified address and ports
#
add 900 allow tcp from any to any 80,443
#
# Divert
#
add 1100 divert natd ip4 from any to any via wan0
#
# Default: allow everything
#
add 65000 allow ip from any to any

and for /etc/natd.conf
#
interface wan0
same_ports
use_sockets
log
#
# Server G
#
redirect_port tcp 10.30.3.4:22 44022
redirect_port tcp 10.30.3.4:993 44993
redirect_port tcp 10.30.3.4:2401 2401
redirect_port tcp 10.30.3.4:9418 9418
######################################

With this configuration I reach the serverG from Internet just
if I use the address x.y.z.2 (or x.y.z.3 which is a clone of the .2 
machine).

I would like to reach the serverG with the address x.y.z.6 which is the 
common redundant address.

Any idea or suggestion ?



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?46B219B9.2060706>