From owner-freebsd-questions  Sun Jun  7 07:59:13 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id HAA09987
          for freebsd-questions-outgoing; Sun, 7 Jun 1998 07:59:13 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from www02.netaddress.usa.net (www02.netaddress.usa.net [204.68.24.22])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id HAA09961
          for <freebsd-questions@freebsd.org>; Sun, 7 Jun 1998 07:59:00 -0700 (PDT)
          (envelope-from carl.p.edwards@usa.net)
From: carl.p.edwards@usa.net
Received: (qmail 13114 invoked by uid 60001); 7 Jun 1998 14:58:30 -0000
Message-ID: <19980607145830.13113.qmail@www02.netaddress.usa.net>
Date: Sun, 07 Jun 1998 14:58:30
To: freebsd-questions@FreeBSD.ORG
Subject: NAT and IPFW security
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hi,

   Consider this network:

 ---------------
| I-net router  |
| 123.123.123.1 |
 ---------------
     |
     |
     |     ---------------------------        -----------
     |    |          "eagle"          |      | "sparrow" |
     >----| 123.123.123.2    10.1.1.1 |------| 10.1.1.2  |
     |    | [ed0]               [ed1] |      |           |
     |     ---------------------------        -----------
     |
     |
     |     ---------------
     |    | "falcon"      |
     >----| 123.123.123.3 |
     *     ---------------

All computers are running FreeBSD 2.2.6. The server "eagle" is running NAT. The way I figured is that if "falcon" was set to have 123.123.123.2 as its default gateway rather than 123.123.123.1 a user on falcon would be able to access "sparrow" simply by telnetting or whatever to 10.1.1.2. Now if this rule was applied on "eagle":

   1000 deny all from 123.123.123.1/24 to 10.1.1.1/24 via ed0

This would prevent that, right? But what if "falcon" had a HTTP daemon running and a user on "sparrow" would want to browse it, would that also be blocked?

I'm not 100% clear on how IPFW and NAT works together so any help would be appreciated.

Thanks
Carl


____________________________________________________________________
Get free e-mail and a permanent address at http://www.netaddress.com/?N=1

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message