Date: Thu, 21 Jun 2001 14:42:15 -0500 From: "Chuck Rock" <carock@epconline.net> To: <freebsd-ipfw@FreeBSD.ORG> Subject: RE: Natd and IPFW ( I think I've asked before with no help)... Message-ID: <003101c0fa8a$46041f40$1805010a@epconline.net> In-Reply-To: <Pine.BSF.4.21.0106211344080.13834-100000@cody.jharris.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I misunderstood my techs... The forwarding of aliased IP's is working fine. The port forwarding for aliased IP's they couldn't get working. I'm going to make sure we've tried all the possible commands for forwarding ports before I post again. What I'm told now is that the aliased real IP's on an interface can't be forwarded by port number to an internal IP. xl0 has inet=206.206.206.206 and alias IP of 206.206.206.207 and they want to forward port 80 coming into the alias ip 206.206.206.207 to 10.0.0.1 and port 25 coming into 206.206.206.207 to 10.0.0.2 They haven't figured out how to get this working. If anyone has succesfully done this, a little help figuring out which of the three port forwarding command sytax's to use would be great. The portsentry problem is a question for them (Psionic). It appears any aliased IP's that are forwarded by NAT are not protected by Portsentry. If they are just aliases, and not forwarded by NAT, Portsentry will successfuly add portscans to IPFW. Thanks for your help. Chuck > -----Original Message----- > From: owner-freebsd-ipfw@FreeBSD.ORG > [mailto:owner-freebsd-ipfw@FreeBSD.ORG]On Behalf Of Nick Rogness > Sent: Thursday, June 21, 2001 2:06 PM > To: Chuck Rock > Cc: freebsd-ipfw@FreeBSD.ORG > Subject: Re: Natd and IPFW ( I think I've asked before with no help)... > > > On Thu, 21 Jun 2001, Chuck Rock wrote: > > > We are deploying FreeBSD firewalls with NATD running as well. > > > > Problem 1. > > We have aliased real IP's on an interface, but natd.cf only lets us > > forward ports from the original interface IP, not from the aliased > > IP's. So we have to like four network cards and multiple firewalls to > > accomplish the desired routing of ports by real IP address to internal > > private IP's. > > > > Has anyone fixed this, or come up with a better solution? > > I'm not clear on what you are saying here. > alias_address option of nat will let you specify your outside > address...it doesn't have to be bound to any interface. > > redirect_address works like Static NAT if that is what you want. > > Please Clarify what you mean...from the outside to the inside OR > from the inside to the outside? > > > > > Problem 2. > > We also use Portsentry, and when we forward ports with natd, they > > forward BEFORE portsentry can see them. So if we have an internal > > machine as a mail server, and forward a real IP to an internal IP for > > port 25, but we use portsentry to watch traffic on that real IP, it > > never sees portscans on IP because natd never passes the packets that > > don't match the forwarding to the level that Portsentry is watching. > > Hmmm, not sure what to do here. I'm not sure how PortSentry > works. If it uses BPF to watch traffic it should work, so it must > not use that... > > Is Port sentry listening on the outside interface? > > > > > Would running natd from rc.local aleviate this? Is that possible? > > > That has nothing to do with it. That just deals with loading > progams when booting the system. ANd yes, you can start natd from > rc.local. > > > Nick Rogness <nick@rogness.net> > - Keep on Routing in a Free World... > "FreeBSD: The Power to Serve!" > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-ipfw" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?003101c0fa8a$46041f40$1805010a>