any ipfw + nat gurus out there?

Tony Frank tfrank at optushome.com.au
Fri Jun 4 05:21:56 PDT 2004


Hi there,

On Wed, Jun 02, 2004 at 04:52:09PM -0700, OpenMacNews wrote:
> i've gotten no "bites" so far on my 1st "i'm SO confused!" email,  so I'll 
> try a narrower example/question ...

Up to now, I've been avoiding this due to my own time constraints.

> in the simple case of

Perhaps you are yet to realise this is perhaps not 'simple' ? :)

> 
>          [public internet]
>                 |
>                 |
>          [ISP's gateway router]
>                external IP = R.R.R.R
>                 |
>                 |
>        ====FIREWALL============================
>             NIC card 1 ("exif"), multihomed
>                external IP = A.A.A.1
>                external IP = A.A.A.2
>                 |
>                 |
>            ipfw
>                natd1 on external IP A.A.A.1
>                natd2 on external IP A.A.A.2
>                 |
>                 |
>             NIC card 3, internal IP = 10.0.0.B
>        ===========================================
>                 |
>                 |
>                 |
>                 |
>                 |
>        =====WORKSTATION===========================
>             NIC card 1, internal IP = 10.0.0.C
>        ===========================================
> 
> using SSH as a service example, i'd like to:
> 
> 
>       allow a public internet address, IP = C.C.C.1, to ssh to WORKSTATION 
>       *only* via EXTERNAL ip = A.A.A.1
>       allow a public internet address, IP = C.C.C.2, to ssh to WORKSTATION 
>       *only* via EXTERNAL ip = A.A.A.2
>       allow ssh from WORKSTATION to ANY internal/external IP
>                primarily via A.A.A.1, except ssh traffic TO C.C.C.2 should 
>                be OUT via A.A.A.2
>       deny all other ssh traffic
> 

Ok, as a first cut on this without actually trying anything and reading your
work so far, I would do the following:

1. Get the workstation to anywhere case working using the aaa1 address.
Standard rc.firewall examples should get you going with regular natd.

2. Get the ccc1 to workstation working through aaa1.
NATD port forward is obvious solution to me here.
To restrict this port-forward to the flow ccc1 to aaa1:22 use an ipfw rule
prior to the natd divert.

3. Get the ccc2 to workstation working through aaa2.
Again, NATD port-forward should do the trick.
Another ipfw rule to only permit ccc2 to aaa2:22 before natd should do it.

4. Get the workstation to ccc2 outbound using aaa2 going.
I'm not totally sure what you want here?
Do you just want workstation to support incoming from ccc2 via aaa2 or
do you want workstation to be able to initiate outbound to ccc2 using 
aaa2 address?
If the latter then you may need some special case divert rule specific
for this flow.

Does that help?

If you're still stuck, I can setup the scenario in my lab over the weekend.
If I dont get stuck on paid work anyways. :)

Regards,

Tony


More information about the freebsd-ipfw mailing list