From owner-freebsd-ipfw@FreeBSD.ORG Wed Jun 2 16:52:13 2004 Return-Path: Delivered-To: freebsd-ipfw@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 941D116A4CE for ; Wed, 2 Jun 2004 16:52:13 -0700 (PDT) Received: from mail1.speakeasy.net (mail1.speakeasy.net [216.254.0.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C06C43D48 for ; Wed, 2 Jun 2004 16:52:13 -0700 (PDT) (envelope-from freebsd-ipfw.20.openmacews@spamgourmet.com) Received: (qmail 22638 invoked from network); 2 Jun 2004 23:52:12 -0000 Received: from ns1.presence-group.net (HELO [172.30.11.6]) (blakers@[216.27.177.134]) )encrypted SMTP for ; 2 Jun 2004 23:52:12 -0000 Date: Wed, 02 Jun 2004 16:52:09 -0700 From: OpenMacNews To: freebsd-ipfw Message-ID: <183AEFC8C407F14A0032B498@[172.30.11.6]> X-Mailer: Mulberry/3.1.5 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: any ipfw + nat gurus out there? X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: OpenMacNews List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Jun 2004 23:52:13 -0000 hi all, i've gotten no "bites" so far on my 1st "i'm SO confused!" email, so I'll try a narrower example/question ... in the simple case of [public internet] | | [ISP's gateway router] external IP = R.R.R.R | | ====FIREWALL============================ NIC card 1 ("exif"), multihomed external IP = A.A.A.1 external IP = A.A.A.2 | | ipfw natd1 on external IP A.A.A.1 natd2 on external IP A.A.A.2 | | NIC card 3, internal IP = 10.0.0.B =========================================== | | | | | =====WORKSTATION=========================== NIC card 1, internal IP = 10.0.0.C =========================================== using SSH as a service example, i'd like to: allow a public internet address, IP = C.C.C.1, to ssh to WORKSTATION *only* via EXTERNAL ip = A.A.A.1 allow a public internet address, IP = C.C.C.2, to ssh to WORKSTATION *only* via EXTERNAL ip = A.A.A.2 allow ssh from WORKSTATION to ANY internal/external IP primarily via A.A.A.1, except ssh traffic TO C.C.C.2 should be OUT via A.A.A.2 deny all other ssh traffic to do this, I can understand that i'm going to have to "remember" some state .... unfortunately, I've only gotten the following figured out ... 1st, I enable IP forwarding: /usr/sbin/sysctl -w net.inet.ip.forwarding=1 > /dev/null then I launch a NATd instance on EACH of the firewall box's external interfaces, exipA & exipB, and enable redirection to WORKSTATION # variables exipA = "A.A.A.1" exipB = "A.A.A.2" inip = "10.0.0.B" gateway = "R.R.R.R" natd_portA_in= "8668" natd_portA_out= "8669" natd_portB_in= "8670" natd_portB_out= "8671" # natd instances /usr/sbin/natd \ -alias_address ${exipA} \ -in_port ${natd_portA_in} \ -out_port ${natd_portA_out} \ -dynamic -use_sockets -same_ports -unregistered_only -log -log_denied \ -redirect_port tcp ${WORKSTATION}:22 22 /usr/sbin/natd \ -alias_address ${exipB} \ -in_port ${natd_portB_in} \ -out_port ${natd_portB_out} \ -dynamic -use_sockets -same_ports -unregistered_only -log -log_denied \ -redirect_port tcp ${WORKSTATION}:22 22 Now the rest is what I need some guidance on ... 1st, for the single-case ssh traffic from WORKSTATION to public internet address = C.C.C.2, which MUST travel via A.A.A.2, I think ${fwcmd} add 10000 divert ${natd_portB_out} ip from ${inip} to C.C.C.2 22 out xmit ${exif} does the trick. however, my understanding is that, after natd, the ip packet's src will be rewritten to IP of exipB, so I may need to send via fwd the packet to next-hop -- i.e., the ISP's gateway router, using ${fwcmd} add 10005 fwd ${gateway} ip from ${exipA} to any 2nd, for the catch-all outbound ssh case, outbound must travel via A.A.A.1 ${fwcmd} add 11000 divert ${natd_portA_out} ip from ${inip} to any out xmit ${exif} and again, ${fwcmd} add 11005 fwd ${gateway} ip from ${exipB} to any and last, general INBOUND catch all traffic via public internet to EITHER exipA or exipB ${fwcmd} add 12000 divert ${natd_portA_in} ip from any to any in via ${exifA} ${fwcmd} add 12010 skipto 50000 ip from any to any ${fwcmd} add 13000 divert ${natd_portB_ip} ip from any to any in via ${exifA} ${fwcmd} add 13010 skipto 50000 ip from any to any # 50000 ( ... continue processing ... ) which, in summary, looks like: ${fwcmd} add 10000 divert ${natd_portB_out} ip from ${inip} to C.C.C.2 22 out xmit ${exif} ${fwcmd} add 10005 fwd ${gateway} ip from ${exipA} to any ${fwcmd} add 11000 divert ${natd_portA_out} ip from ${inip} to any out xmit ${exif} ${fwcmd} add 11005 fwd ${gateway} ip from ${exipB} to any ${fwcmd} add 12000 divert ${natd_portA_in} ip from any to any in via ${exifA} ${fwcmd} add 12010 skipto 50000 ip from any to any ${fwcmd} add 13000 divert ${natd_portB_ip} ip from any to any in via ${exifA} ${fwcmd} add 13010 skipto 50000 ip from any to any # 50000 ( ... continue processing ... ) i am NOT at all sure that I'm accomplishing what I want/need here ... AND if/where I stick any necessary DENY rules (on EXTERNAL or INTERNAL addresses?) any help is much appreciated !! richard