Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 16 Apr 2003 17:20:31 -0700
From:      Darren Pilgrim <dmp@pantherdragon.org>
To:        <freebsd@code-space.com>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: IPFW/NATD: Client behind firewall connecting to server behind firewall AS IF it were really EXTERNAL
Message-ID:  <20030416172031.5497fc18.dmp@pantherdragon.org>
In-Reply-To: <000001c30470$f9d63840$3401a8c0@neptune>
References:  <20030416144035.1f7711e1.dmp@pantherdragon.org> <000001c30470$f9d63840$3401a8c0@neptune>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
"C_Ahlers" <freebsd@code-space.com> wrote:

>Am i missing something? 
>
>if  do:
>
>{...)
>ipfw add divert natd all from any to any via $oif
>ipfw add fwd b.b.b.100,80 tcp from b.b.b.0/24 to a.a.a.15 80 in via $iif
>(...)
>
>And say, client b.b.b.57 attempts to connect to a.a.a.15:80 - the
>forward rule will send out AS IS to b.b.b.100:80 on the internal
>interface
>
>1) No NAT will occur because NAT is setup only on external interface

Correct.

>2) The packet's dest ipaddr is not changed: it is still a.a.a.15, and
>will not be routed to anything on b.b.b.0/24

The forarding behaviour is explained in ipfw(8).

>Do I need to NAT on $iif as well?

Probably, unless you don't need the webserver to answering from the address the
client expects it to.



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?20030416172031.5497fc18.dmp>