help with multiple-public-to-multiple-natd mappings/rules/logic?
OpenMacNews
freebsd-ipfw.20.openmacews at spamgourmet.com
Wed Jun 2 13:11:00 PDT 2004
hi all,
[I tried doing al this via "fwbuilder" (www.fwbuilder.org) only to, unfortunately, find out that _it_ doesn't support ipfw + natd rule generation ... so back to "manual", and my questions below ...]
I've read through as many examples on the web I could find, but as none were exactly the config I'm attempting here.
As a result of trying to cobble together the examples I *did* find, I've gotten myself thoroughly confused about a couple of issues re: my "to be" ipfw firewall configuration ... specifically, since I have *multiple* EXTERNAL ip's that need to map THROUGH a single INTERNAL interface to *multiple* INTERNAL (NATd) ip's.
as far as a "policy" goes, my goal is:
(1) outbound: ALLOW, then DENY, specifically blocking outbound services access, e.g. "chat", allowing STATEFUL rules
(2) inbound: DENY, then ALLOW
(3) process 'general' fw rules 1st (e.g., "pest rules" such as 'DENY from "timbuktu IP" to ANY')
(4) provide specific, service-based mappings from external "public" IPs to various internal "private" IPs via NAT
to do, this however, I think I need
(1) multiple NATd instances (one for each external IP)
(2) some combination of DIVERT, SKIPTO and FORWARD rules to do all the necessary in/out mapping and firewall processing
which is where my confusion begins !! with ONE natd instance, and ONE external IP address, i've got everything pretty much working ... but the MULTIPLE-TO-MULTIPLE logic has got me "blindly trying stuff" ...
SOOOOOOOOOOO, any/all insights/comment, or pointers to existing examples -- or general _relevant_ logic, for that matter -- would be much appreciated! in particular, the in/out rules for httpd, smtp & dns via these multiple interfaces are eluding me for now.
to help get started, here's my config:
|
|
[public internet]
|
|
[cable modem]
2 fixed IP addresses:
A.A.A.A
A.A.A.B
ISP's DNS servers:
A.A.A.XX
A.A.A.YY
ISP's Gateway:
A.A.A.GG
|
|
[firewall box, server 1]
hw:
2 NIC cards
card 1 ("external"):
multihomed
A.A.A.A
A.A.A.B
card 2 ("internal"):
10.0.0.1
sw:
ipfw
dhcp
natd
smtpd
listens on mail1.domain.com
|
|
|
|
|------------------ [server 2]
| hw:
| 1 NIC card
| multihomed
| 10.0.0.2
| 10.0.0.21
| sw:
| httpd, public access
| listens on 10.0.0.2 for www.domain2.com
| listens on 10.0.0.21 for www.domain21.com
|
|
|------------------ [server 3]
| hw:
| 1 NIC card
| 10.0.0.3
| sw:
| smtpd, public access
| listens on mail3.domain.com
| dns, public access
| (a) provides primary DNS for multiple domains,
| zone transfers ONLY to named external secondaries
| (b) serves as internal/LAN DNS for all machines
| on 10.0.0.x LAN
| (c) forwards some requests to ISP's DNS @ A.A.A.XX &
| A.A.A.YY
|
|
|------------------ [server 4]
| hw:
| 1 NIC card
| multihomed
| 10.0.0.4
| 10.0.0.41
| sw:
| httpd, public access
| listens on 10.0.0.4 for www.domain4.com
| listens on 10.0.0.41 for www.domain41.com
|
|
|------------------ [workstation 5]
1 NIC card
10.0.0.5
sw:
usual client apps ...
where, "public"/"external" IP allocations/assignments are:
A.A.A.A --> reverse IP == domain.com
A.A.A.B --> reserse IP == domain2.com
mail1.domain.com --> A.A.A.B
mail3.domain.com --> A.A.A.A
www.domain2.com --> A.A.A.A
www.domain21.com --> A.A.A.B
www.domain4.com --> A.A.A.A
www.domain41.com --> A.A.A.B
thanks!
richard
More information about the freebsd-ipfw
mailing list