Date: Wed, 7 Aug 2002 15:08:25 -0700 From: "Carl Forsythe" <cforsythe@avantgo.com> To: <freebsd-ipfw@freebsd.org> Subject: ipfw+nat rules question Message-ID: <4C4CB317C3CD6A40AAF9B1C7686696699018C7@kali.avantgo.com>
next in thread | raw e-mail | index | archive | help
Hi folks, Some questions about rule processing with ipfw and natd, if this is = better suited for -questions let me know and I'll send it off to there. Ok the situation/network layout is thus: Box A provides NAT/ipfw services to Box B which is on a private network, = Box A is dual homed to Net A and Net B. Box B has certain services on it = that need to be accessible to a block of addresses only, or in some = cases only a certain other server. Box B also has a requirement that it = needs to make outbound requests to an external service provider. Box A = acts as the default gateway for Box B. Net A is firewalled from the = internet by another firewall entirely. I setup an aliased IP on Box A to represent Box B to the machines that = need to talk to it. Was this necessary for external servers to talk to = Box B, or would normal port redirection be sufficient in this case? I do = however want Box B to be pingable for our monitoring system which = resides out on Net A. So the questions I have at this point: 1) Using the redirect_port function of natd, can I specify a network = with mask instead of a host for the third argument? i.e. redirect_port = tcp Box_B:80 Box_A_Alias:80 Net_A/24 Failing the above, where in the ipfw ruleset would I place any rules for = traffic destined to Box B, before the natd divert or after it? If after = the divert, what IP address do I use? the external Box A alias, or the = translated Box B address? What does the source address look like after = the divert? Has it been translated to Box A's Net B address at that = point? /sbin/ipfw add pass tcp from Net A/24 to ??? 80 setup So to sum it up, Box B has a limited number of services that only need = to be available to servers that are on Net A. Box A provides NAT/ipfw = services to Box B. Box B needs to be able to talk to an external web = server(s), Box B needs to be able to resolve DNS, Box B needs to talk to = our NTP server. What I'm not grasping is what address to use in the ipfw rules to = identify Box B and where in the rules to place those checks, before the = natd divert using the external alias address or after the divert using ? Thanks in advance for any help, Carl Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C4CB317C3CD6A40AAF9B1C7686696699018C7>