Date: Mon, 15 Oct 2007 21:22:22 -0000 (GMT) From: jhall@vandaliamo.net To: "Christer Hermansson" <mail@chdevelopment.se> Cc: freebsd-net@freebsd.org, jhall@vandaliamo.net Subject: Re: NAT Questions Message-ID: <1282.12.170.206.13.1192483342.squirrel@admintool.trueband.net> In-Reply-To: <47128A06.40901@chdevelopment.se> References: <1598.65.117.48.155.1192215288.squirrel@admintool.trueband.net> <47128A06.40901@chdevelopment.se>
next in thread | previous in thread | raw e-mail | index | archive | help
> jhall@vandaliamo.net wrote: >> Following is my configuration. >> >> External Interface------->Internal Interface--------> Rest of network >> 1.2.3.4/24 10.129.10.40/24 >> 1.2.3.5/32 Alias >> >> 1.2.3.5/24 is the IP address all http traffic will come in on. >> 1.2.3.4/32 >> is the IP address all other traffic will come in on. Both of these >> addresses reside on a single NIC with 1.2.3.5 being an alias. >> >> ipnat.rules >> rdr 1.2.3.5/32 port 80 -> 10.129.10.49 port 80 >> map em1 10.129.10.0/24 -> 0.0.0.0/32 >> >> 10.129.10.49 has 10.129.10.40 (my firewall) listed as its default >> gateway. >> When it responds to a request that has been forwarded, how will the >> firewall return the response? Will it return the request on 1.2.3.5? >> >> > I think you should specify the interface and protocol as well, e.g. > rdr xl0 1.2.3.5/32 port 80 -> 10.129.10.49 port 80 tcp > > The response will have 1.2.3.5 as source-address, the nat software > remember that the translation/mapping was done on 1.2.3.5. > > I guess you have already added > gateway_enable="YES" > to the file /etc/rc.conf > > However, it's very bad to let people in to your protected network, if > they can fool your webserver they have control over a internal machine. > If the 10.129.10.0/24 is a DMZ, used only for web/mail etc this is of > course okey to do. > Thank you for the explanation. I thought that was how it worked, but was not sure. Yes, the server in question is only used as a web server. Thanks again for the explanation. Jay
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1282.12.170.206.13.1192483342.squirrel>