Date: Wed, 02 Jun 2004 16:52:09 -0700 From: OpenMacNews <freebsd-ipfw.20.openmacews@spamgourmet.com> To: freebsd-ipfw <freebsd-ipfw@freebsd.org> Subject: any ipfw + nat gurus out there? Message-ID: <183AEFC8C407F14A0032B498@[172.30.11.6]>
next in thread | raw e-mail | index | archive | help
hi all,
i've gotten no "bites" so far on my 1st "i'm SO confused!" email, so I'll try a narrower example/question ...
in the simple case of
[public internet]
|
|
[ISP's gateway router]
external IP = R.R.R.R
|
|
====FIREWALL============================
NIC card 1 ("exif"), multihomed
external IP = A.A.A.1
external IP = A.A.A.2
|
|
ipfw
natd1 on external IP A.A.A.1
natd2 on external IP A.A.A.2
|
|
NIC card 3, internal IP = 10.0.0.B
===========================================
|
|
|
|
|
=====WORKSTATION===========================
NIC card 1, internal IP = 10.0.0.C
===========================================
using SSH as a service example, i'd like to:
allow a public internet address, IP = C.C.C.1, to ssh to WORKSTATION *only* via EXTERNAL ip = A.A.A.1
allow a public internet address, IP = C.C.C.2, to ssh to WORKSTATION *only* via EXTERNAL ip = A.A.A.2
allow ssh from WORKSTATION to ANY internal/external IP
primarily via A.A.A.1, except ssh traffic TO C.C.C.2 should be OUT via A.A.A.2
deny all other ssh traffic
to do this, I can understand that i'm going to have to "remember" some state ....
unfortunately, I've only gotten the following figured out ...
1st, I enable IP forwarding:
/usr/sbin/sysctl -w net.inet.ip.forwarding=1 > /dev/null
then I launch a NATd instance on EACH of the firewall box's external interfaces, exipA & exipB, and enable redirection to WORKSTATION
# variables
exipA = "A.A.A.1"
exipB = "A.A.A.2"
inip = "10.0.0.B"
gateway = "R.R.R.R"
natd_portA_in= "8668"
natd_portA_out= "8669"
natd_portB_in= "8670"
natd_portB_out= "8671"
# natd instances
/usr/sbin/natd \
-alias_address ${exipA} \
-in_port ${natd_portA_in} \
-out_port ${natd_portA_out} \
-dynamic -use_sockets -same_ports -unregistered_only -log -log_denied \
-redirect_port tcp ${WORKSTATION}:22 22
/usr/sbin/natd \
-alias_address ${exipB} \
-in_port ${natd_portB_in} \
-out_port ${natd_portB_out} \
-dynamic -use_sockets -same_ports -unregistered_only -log -log_denied \
-redirect_port tcp ${WORKSTATION}:22 22
Now the rest is what I need some guidance on ...
1st, for the single-case ssh traffic from WORKSTATION to public internet address = C.C.C.2, which MUST travel via A.A.A.2, I think
${fwcmd} add 10000 divert ${natd_portB_out} ip from ${inip} to C.C.C.2 22 out xmit ${exif}
does the trick.
however, my understanding is that, after natd, the ip packet's src will be rewritten to IP of exipB, so I may need to send via fwd the packet to next-hop -- i.e., the ISP's gateway router, using
${fwcmd} add 10005 fwd ${gateway} ip from ${exipA} to any
2nd, for the catch-all outbound ssh case, outbound must travel via A.A.A.1
${fwcmd} add 11000 divert ${natd_portA_out} ip from ${inip} to any out xmit ${exif}
and again,
${fwcmd} add 11005 fwd ${gateway} ip from ${exipB} to any
and last, general INBOUND catch all traffic via public internet to EITHER exipA or exipB
${fwcmd} add 12000 divert ${natd_portA_in} ip from any to any in via ${exifA}
${fwcmd} add 12010 skipto 50000 ip from any to any
${fwcmd} add 13000 divert ${natd_portB_ip} ip from any to any in via ${exifA}
${fwcmd} add 13010 skipto 50000 ip from any to any
# 50000 ( ... continue processing ... )
which, in summary, looks like:
${fwcmd} add 10000 divert ${natd_portB_out} ip from ${inip} to C.C.C.2 22 out xmit ${exif}
${fwcmd} add 10005 fwd ${gateway} ip from ${exipA} to any
${fwcmd} add 11000 divert ${natd_portA_out} ip from ${inip} to any out xmit ${exif}
${fwcmd} add 11005 fwd ${gateway} ip from ${exipB} to any
${fwcmd} add 12000 divert ${natd_portA_in} ip from any to any in via ${exifA}
${fwcmd} add 12010 skipto 50000 ip from any to any
${fwcmd} add 13000 divert ${natd_portB_ip} ip from any to any in via ${exifA}
${fwcmd} add 13010 skipto 50000 ip from any to any
# 50000 ( ... continue processing ... )
i am NOT at all sure that I'm accomplishing what I want/need here ... AND if/where I stick any necessary DENY rules (on EXTERNAL or INTERNAL addresses?)
any help is much appreciated !!
richard
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?183AEFC8C407F14A0032B498>