ipfw - accessing DMZ from LAN

Marek Salwerowicz marek.salwerowicz at misal.pl
Thu Sep 29 21:23:29 UTC 2011 

W dniu 2011-09-29 21:57, Freddie Cash pisze:
>
>
> In generic terms, the packet flow is like this:
>
> <packet comes in on the lan interface>
> src:  lan private subnet     dest:  server public ip
>
> <packet gets NAT'd, then re-injected into the rules>
> src:  lan private subnet     dest:  server private ip
>
> <packet is routed/sent out the dmz interface>
> src:  lan private subnet     dest:  server private ip
>
> <packet is NAT'd, then re-injected into the rules>
> src:  lan public ip             dest:   server private ip
>
>
> Note how you change first the destination IP via NAT (on the LAN interface);
> then you change the source IP via NAT (on the DMZ interface).
Ok, now I understood (I hope ;) ). My rules are:

ipfw add 150 divert $DMZHOST1PORT ip from $LAN1NET to $DMZHOST1PUB in 
recv $LAN1IF
ipfw add 155 allow ip from $LAN1NET to $DMZHOST1 in recv $LAN1IF

ipfw add 160 divert $LAN1PORT ip from $LAN1NET to $DMZHOST1 out xmit $DMZIF
ipfw add 165 allow ip from $MYPUBLICIP to $DMZHOST1 out xmit $DMZIF

ipfw add 170 divert $LAN1PORT ip from $DMZHOST1 to $MYPUBLICIP in recv 
$DMZIF
ipfw add 175 allow ip from $DMZHOST1 to $LAN1NET in recv $DMZIF

ipfw add 180 divert $DMZHOST1PORT ip from $DMZHOST1 to $LAN1NET out xmit 
$LAN1IF
ipfw add 185 allow ip from $DMZHOST1PUB to $LAN1NET out xmit $LAN1IF

Names are a little different but the idea is the same (MYPUBLICIP == 
LAN_PUBLIC_IP)

And it works. Thanks for help :)


>
> There's no hard-and-fast rules on how you should order your rules (at least,
> none that I've found anywhere).
>
> I prefer to write them such that you have the most specific rules first, and
> the most generic ones last.
So eg. the rules specifying traffic between DMZ Host and LAN could be 
the first, and then rules for "generic" DMZ host traffic (allowing DMZ 
access to the Internet)?
So far I made like this (first DMZ-LAN, then DMZ), but I have some problem:

ipfw add 200 divert $DMZHOST1PORT ip from $DMZHOST1 to any in recv $DMZIF
ipfw add 205 allow ip from $DMZHOST1 to any in recv $DMZIF

ipfw add 210 divert $DMZHOST1PORT ip from $DMZHOST1 to any out xmit 
$PUBLICIF
ipfw add 215 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF

ipfw add 220 divert $DMZHOST1PORT ip from any to $DMZHOST1PUB in recv 
$PUBLICIF
ipfw add 225 allow ip from any to $DMZHOST1 in recv $PUBLICIF

ipfw add 230 divert $DMZHOST1PORT ip from any to $DMZHOST1 out xmit $DMZIF
ipfw add 235 allow ip from any to $DMZHOST1 out xmit $DMZIF

The DMZ host has access to Internet (and is visible as public IP 
dedicated for that host, so it's what I wanted), but when I connect from 
the Internet to DMZ host (eg. ssh), I see that the connection comes from 
itself (DMZ host public IP), instead of real public IP address.
I think that I've overNATed something.

Do you have any idea?

Regards,

-- 
Marek Salwerowicz

More information about the freebsd-net mailing list