Date: Fri, 06 Feb 2004 08:16:02 +0200 From: Nelis Lamprecht <nelis@8ball.co.za> To: Jason Lavigne <jlavigne@bwlogic.com> Cc: 'FreeBSD Questions Mail List' <questions@freebsd.org> Subject: RE: ipf + ipnat + dmz + bridge question Message-ID: <1076048162.274.276.camel@enigma.8ball.co.za> In-Reply-To: <008701c3ebe8$8df0e2a0$0501a8c0@canada> References: <008701c3ebe8$8df0e2a0$0501a8c0@canada>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-1lKgiA5sch9J0latko2l Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2004-02-05 at 15:04, Jason Lavigne wrote: > Clever. I tried that and now I have found a different issue, I don't > know if ipnat is working correctly, I can browse the internet using my > LAN however the ipnat.rules are being completely ignored, I removed all > rules and I can still browse the Internet with my LAN and to me this is > odd. >=20 > Any ideas? Just one. Besides the usual kernel tunes the most important one for ipf to successfully work is IP Forwarding. Make sure you have this enabled. sysctl net.inet.ip.forwarding=3D1 >=20 > Thanks for your time. >=20 > Jay >=20 > -----Original Message----- > From: Nelis Lamprecht [mailto:nelis@8ball.co.za]=20 > Sent: Thursday, February 05, 2004 3:47 AM > To: Jason Lavigne > Cc: FreeBSD Questions Mail List > Subject: Re: ipf + ipnat + dmz + bridge question >=20 > On Thu, 2004-02-05 at 02:57, Jason Lavigne wrote: > > Hello all, > > =20 > > I currently have a firewall with 3 nics, one goes to the net, one to > the > > DMZ and one to the LAN. I have ipf and ipnat running along with > FreeBSD > > bridge support and I have the external nic and the DMZ nic bridged. > All > > DMZ computers are configured with a real public ip and have the > firewall > > as the gateway. > > =20 > > My question is when any computer from my DMZ goes out to the net it > uses > > the ip of the firewall and not the public ip it was assigned. > Internally > > within the DMZ they use the correct ips. How can I make it so when the > > DMZ computers are on the net they report as using their assigned ip. > Is > > the DMZ using ipnat? I only have the LAN mapped in ipnat.rules and > > nothing about the DMZ ips. > > =20 > > TIA > > =20 > > Jay > > =20 > > Here are my configs: > > =20 > > ifconfig > > =20 > > dc0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > > inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255 > > inet6 fe80::203:6dff:fe00:9bd%dc0 prefixlen 64 scopeid 0x1 > > ether 00:03:6d:00:09:bd > > media: Ethernet autoselect (100baseTX) > > status: active > > dc1: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu > 1500 > > inet6 fe80::280:c6ff:feea:7af1%dc1 prefixlen 64 scopeid 0x2 > > inet xxx.yyy.200.99 netmask 0xfffffff0 broadcast > xxx.yyy.200.111 > > ether 00:80:c6:ea:7a:f1 > > media: Ethernet autoselect (100baseTX <full-duplex>) > > status: active > > xl0: flags=3D8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu > 1500 > > options=3D3<RXCSUM,TXCSUM> > > inet6 fe80::250:daff:fe1b:90c3%xl0 prefixlen 64 scopeid 0x3 > > inet xxx.yyy.200.106 netmask 0xffffffff broadcast > > xxx.yyy.200.106 > > inet xxx.yyy.200.107 netmask 0xffffffff broadcast > > xxx.yyy.200.107 > > ether 00:50:da:1b:90:c3 > > media: Ethernet autoselect (10baseT/UTP) > > status: active > > lp0: flags=3D8810<POINTOPOINT,SIMPLEX,MULTICAST> mtu 1500 > > lo0: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 > > inet6 ::1 prefixlen 128 > > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > > inet 127.0.0.1 netmask 0xff000000 > > tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492 > > inet xxx.yyy.200.97 --> 207.136.64.4 netmask 0xffffff00 > > Opened by PID 241 > > =20 > > /etc/ipnat.rules > > =20 > > # nat the lan > > map xl0 192.168.1.0/24 -> xxx.yyy.200.97/32 >=20 > try changing this to: >=20 > map xl0 from 192.168.1.0/24 ! to xxx.yyy.200.99/32 -> xxx.yyy.200.97/32 >=20 > which basically tells ipnat to always use NAT unless you are speaking > with your DMZ xxx.yyy.200.99/32 >=20 >=20 > Regards, --=20 Nelis Lamprecht PGP: http://www.8ball.co.za/pgp/nelis.key "Unix IS user friendly.. It's just selective about who its friends are." --=-1lKgiA5sch9J0latko2l Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQBAIzEiQfIMKiRMCrERAhnAAJ44I1NKg/7tSO9zD874hzadgBSNIACdEfWd 1lMAFzjYRtPItFuWR+4inEs= =7kWv -----END PGP SIGNATURE----- --=-1lKgiA5sch9J0latko2l--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1076048162.274.276.camel>