From owner-freebsd-net@FreeBSD.ORG Fri Sep 30 15:44:18 2011 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 277EC1065673 for ; Fri, 30 Sep 2011 15:44:18 +0000 (UTC) (envelope-from fjwcash@gmail.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id D6D5D8FC0A for ; Fri, 30 Sep 2011 15:44:17 +0000 (UTC) Received: by vcbf13 with SMTP id f13so2026718vcb.13 for ; Fri, 30 Sep 2011 08:44:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=zJCAezYDsRzsdoPmkmgsx5jXhJnsyqSo90L1Me6Q2wQ=; b=OiMmPlrXYETvUyip/0ieEP4ARKaomWhBeVL7okMsPH4xczHKMjqOOFhekdOWfS5HD+ dFn47PjBByGVujzyicaOP0+RlYt8atCK6+0JA+t6Gh2c/2GphylVmO2DByLIebxc+WRo t4qdaTYXTZ1x3RZIvcsRWNt7u9nbZqEOkp01o= MIME-Version: 1.0 Received: by 10.220.141.144 with SMTP id m16mr3398124vcu.107.1317397457132; Fri, 30 Sep 2011 08:44:17 -0700 (PDT) Received: by 10.220.186.196 with HTTP; Fri, 30 Sep 2011 08:44:16 -0700 (PDT) In-Reply-To: <4E85D8CB.6010104@wp.pl> References: <4E412116.1070305@wp.pl> <4E422A74.3090601@wp.pl> <4E7B450F.5050802@wp.pl> <4E84B447.7010509@wp.pl> <4E84DE26.6030103@misal.pl> <4E85D8CB.6010104@wp.pl> Date: Fri, 30 Sep 2011 08:44:16 -0700 Message-ID: From: Freddie Cash To: Marek Salwerowicz Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org Subject: Re: ipfw - accessing DMZ from LAN X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2011 15:44:18 -0000 On Fri, Sep 30, 2011 at 7:57 AM, Marek Salwerowicz wrote: > W dniu 2011-09-29 23:07, Marek Salwerowicz pisze: > > So eg. the rules specifying traffic between DMZ Host and LAN could be the >> first, and then rules for "generic" DMZ host traffic (allowing DMZ access to >> the Internet)? >> So far I made like this (first DMZ-LAN, then DMZ), but I have some >> problem: >> >> ipfw add 200 divert $DMZHOST1PORT ip from $DMZHOST1 to any in recv $DMZIF >> ipfw add 205 allow ip from $DMZHOST1 to any in recv $DMZIF >> >> ipfw add 210 divert $DMZHOST1PORT ip from $DMZHOST1 to any out xmit >> $PUBLICIF >> ipfw add 215 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF >> >> ipfw add 220 divert $DMZHOST1PORT ip from any to $DMZHOST1PUB in recv >> $PUBLICIF >> ipfw add 225 allow ip from any to $DMZHOST1 in recv $PUBLICIF >> >> ipfw add 230 divert $DMZHOST1PORT ip from any to $DMZHOST1 out xmit $DMZIF >> ipfw add 235 allow ip from any to $DMZHOST1 out xmit $DMZIF >> >> The DMZ host has access to Internet (and is visible as public IP dedicated >> for that host, so it's what I wanted), but when I connect from the Internet >> to DMZ host (eg. ssh), I see that the connection comes from itself (DMZ host >> public IP), instead of real public IP address. >> I think that I've overNATed something. >> >> I've answered myself: > > > ipfw add 205 allow ip from $DMZHOST1 to any in recv $DMZIF > > ipfw add 210 divert $DMZHOST1PORT ip from $DMZHOST1 to any out xmit > $PUBLICIF > ipfw add 215 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF > > ipfw add 220 divert $DMZHOST1PORT ip from any to $DMZHOST1PUB in recv > $PUBLICIF > ipfw add 225 allow ip from any to $DMZHOST1 in recv $PUBLICIF > > > > ipfw add 235 allow ip from any to $DMZHOST1 out xmit $DMZIF > > So I just removed rules responsible for NAT at $DMZIF and left only NAT at > $PUBLICIF. > > But now there is next problem - when I try to ping /ssh from router to > $DMZPUBLICIP, I connect to myself, instead of DMZ host.. > > I'm guessing the router is the FreeBSD box running IPFW? If so, then that's the correct behaviour, as the public IPs are physically assigned to the interfaces on the router. Thus, connecting to the public IPs from the router ... will connect to the router. You need to ping the private IPs from the router, since the router is directly connected to the private networks. -- Freddie Cash fjwcash@gmail.com