ipfw natd and carp for redundant server
Gabriele Cecchetti
gabriele at sssup.it
Thu Aug 2 18:51:57 UTC 2007
Hi!
I had setup the following network:
|- ServerF2 (if_wan0: 0x.y.z.2)
Internet_Router|---| (if_carp0: x.y.z.6)
| |- ServerF3 (if_wan0: x.y.z.3)
|
|------ServerG (if_lan0: 10.30.3.x)
Server F2 and F3 have a carp interface
configured for (high) avaibility,
with address x.y.z.6
Server F2 and F3 have a Web server which listen on port 80.
I need to reach some services of internal servel from outside network
(es. ssh, cvs, etc.)
What I have done in /etc/ipfw.rules:
(It is not a secure configuration! Just to the test what I need!)
#
flush
#
# Setup loopback
#
add 100 pass all from any to any via lo0
add 200 deny all from any to 127.0.0.0/8
add 300 deny ip from 127.0.0.0/8 to any
#
# Allow important services through unmodified address and ports
#
add 900 allow tcp from any to any 80,443
#
# Divert
#
add 1100 divert natd ip4 from any to any via wan0
#
# Default: allow everything
#
add 65000 allow ip from any to any
and for /etc/natd.conf
#
interface wan0
same_ports
use_sockets
log
#
# Server G
#
redirect_port tcp 10.30.3.4:22 44022
redirect_port tcp 10.30.3.4:993 44993
redirect_port tcp 10.30.3.4:2401 2401
redirect_port tcp 10.30.3.4:9418 9418
######################################
With this configuration I reach the serverG from Internet just
if I use the address x.y.z.2 (or x.y.z.3 which is a clone of the .2
machine).
I would like to reach the serverG with the address x.y.z.6 which is the
common redundant address.
Any idea or suggestion ?
More information about the freebsd-ipfw
mailing list