Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 29 Sep 2011 20:09:11 +0200
From:      Marek Salwerowicz <marek_sal@wp.pl>
To:        Freddie Cash <fjwcash@gmail.com>, freebsd-net@freebsd.org
Subject:   Re: ipfw - accessing DMZ from LAN
Message-ID:  <4E84B447.7010509@wp.pl>
In-Reply-To: <CAOjFWZ6wf9NnVeffUV4uA6h1t-1T8juxXycZbM7%2BGgpFC-HkUg@mail.gmail.com>
References:  <4E412116.1070305@wp.pl> <CAOjFWZ4B3uUfOLAzL=B1WY98rqi6X32j7FM61VjJ3td76NkADg@mail.gmail.com> <4E422A74.3090601@wp.pl> <CAOjFWZ5CK62nQMA8JsfW1b4BQh3hAJbAAynortzaUBqSWBwdSQ@mail.gmail.com> <4E7B450F.5050802@wp.pl> <CAOjFWZ6wf9NnVeffUV4uA6h1t-1T8juxXycZbM7%2BGgpFC-HkUg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
W dniu 2011-09-26 21:20, Freddie Cash pisze:
>
> Your rules are too generic, they will not work for a double-NAT setup.
> Each and every single rule must specify the network interface.  And it must
> specify whether it's incoming (in recv) or outgoing (out xmit) traffic.
>   Don't use "via" anywhere.
>
> While it's easier to use generic rules to start with, you really need to get
> very specific, at least for the double-NAT setup.
>
> See my example above.
>

I look at it but I have problems with understanding the rules.
So far I understand the double-NAT like:

1. There are two NAT instances, one for LAN, the other for DMZ host 
(with public address redirection to DMZ private IP). The first is 
$lanport, the other $dmzport. The LAN interface is $LANIF, the DMZ 
interface is $DMZIF

2. When client from LAN wants to connect to DMZ host, using DMZ public 
IP *only*, the packet goes like this:

     i. the packet is allowed to enter the router by DMZ NAT port 
($dmzport) and $LANIF:
         ipfw add divert $dmzport ip from $LAN to $DMZ_PUBLIC_IP in recv 
$LANIF
         ipfw add allow ip from $LAN to $DMZ_PUBLIC_IP in recv $LANIF 
<--- why in your example are you using PRIVATE_IP instead of PUBLIC?
     ii. the packet is redirected to go out to DMZ, using DMZ NAT port:
         ipfw add divert $dmzport ip from $LAN to $DMZ_PRIVATE_IP out 
xmit $DMZIF
         ipfw add allow ip from $ROUTER_PUBLIC_IP to $DMZ_PRIVATE_IP out 
xmit $DMZIF

3. When DMZ host wants to connect with LAN client:

     i. the packet goes to router by DMZ NAT port and $DMZIF:
         ipfw add divert $dmzport ip from $DMZ_PRIVATE_IP to 
$ROUTER_PUBLIC_IP in recv $DMZIF
         ipfw add allow ip from $DMZ_PRIVATE_IP to $LAN in recv $DMZIF
     ii. the packet is redirected to LAN (using _which_ NAT port? For 
LAN or DMZ? )
         ipfw add divert $lanport (I am *not* sure here) from 
$DMZ_PRIVATE_IP to $LAN out xmit $LANIF
         ipfw add allow ip from $DMZ_PUBLIC_IP to $LAN out xmit $LANIF

4. Is it OK ? What's the port in 3.ii step ?


If I want also to set up  NAT rules for my LAN (to allow it to access 
the Internet, and router), and also for my DMZ hosts (also for the 
Internet), what should be the order of rules?
First 'LAN-DMZ', then 'DMZ', then 'LAN' ?

Regards,

-- 
Marek Salwerowicz




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E84B447.7010509>