Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 8 Aug 2004 16:38:43 -0400
From:      "JJB" <Barbish3@adelphia.net>
To:        <mailist@whoweb.com>, <freebsd-questions@freebsd.org>
Subject:   RE: IPFW/NATD Transparent Proxy
Message-ID:  <MIEPLLIBMLEEABPDBIEGGELBGIAA.Barbish3@adelphia.net>
In-Reply-To: <200408081410.44127.mailist@whoweb.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
A new rewrite of the FreeBSD handbook firewall section is currently
being made ready for update to the handbook. You can get an
in-process copy from  www.a1poweruser.com/FBSD_firewall/




>From what you posted looks like you want public internet users to
access web server on one of your LAN machines. Both ipfw and
ipfilter does this normally with port redirect. You need to post
more info about your system config.
Post the full contents of your rc.conf and  firewall rules files.

The limit you write about ipfilter is not true.

-----Original Message-----
From: owner-freebsd-questions@freebsd.org
[mailto:owner-freebsd-questions@freebsd.org]On Behalf Of
mailist@whoweb.com
Sent: Sunday, August 08, 2004 2:11 PM
To: freebsd-questions@freebsd.org
Subject: IPFW/NATD Transparent Proxy


Anyone up for a challenge?

I've come to the conclusion that IPFW/NATD cannot support
transparent
proxying with ONLY stateful rules.  I'd like to hear from anyone who
has
been successful doing so in case I'm missing something.

Configuration is:
        FreeBSD 5.2.1
        3 - NICS (de0, de1, de2)
        de1 = Public IP = 1.2.3.4
        de2 = LAN1 = 192.168.1.0
        de3 = LAN2 = 192.168.2.0

The challenge:
        1) TCP request from 192.168.1.247 to 1.2.3.4:80
        2) Redirect 1.2.3.4:80 to 192.168.2.250:80
        3) Use stateful rules

On another note, I read somewhere on the Internet that IPFILTER has
a
limitation in that it cannot redirect a public destination to a
private
destination if the source machine is on the same subnet as the
redirected
destination.  In other words, the following supposedly will not
work:
        1) A tcp request from 192.168.1.247 to 1.2.3.4:80
        2) Redirect 1.2.3.4:80 to 192.168.1.100:80

Is this an accurate limitation of IPFILTER?



J

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"freebsd-questions-unsubscribe@freebsd.org"

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?MIEPLLIBMLEEABPDBIEGGELBGIAA.Barbish3>