ipfw - accessing DMZ from LAN

Freddie Cash fjwcash at gmail.com
Fri Sep 30 15:44:18 UTC 2011 

On Fri, Sep 30, 2011 at 7:57 AM, Marek Salwerowicz <marek_sal at wp.pl> wrote:

> W dniu 2011-09-29 23:07, Marek Salwerowicz pisze:
>
>  So eg. the rules specifying traffic between DMZ Host and LAN could be the
>> first, and then rules for "generic" DMZ host traffic (allowing DMZ access to
>> the Internet)?
>> So far I made like this (first DMZ-LAN, then DMZ), but I have some
>> problem:
>>
>> ipfw add 200 divert $DMZHOST1PORT ip from $DMZHOST1 to any in recv $DMZIF
>> ipfw add 205 allow ip from $DMZHOST1 to any in recv $DMZIF
>>
>> ipfw add 210 divert $DMZHOST1PORT ip from $DMZHOST1 to any out xmit
>> $PUBLICIF
>> ipfw add 215 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF
>>
>> ipfw add 220 divert $DMZHOST1PORT ip from any to $DMZHOST1PUB in recv
>> $PUBLICIF
>> ipfw add 225 allow ip from any to $DMZHOST1 in recv $PUBLICIF
>>
>> ipfw add 230 divert $DMZHOST1PORT ip from any to $DMZHOST1 out xmit $DMZIF
>> ipfw add 235 allow ip from any to $DMZHOST1 out xmit $DMZIF
>>
>> The DMZ host has access to Internet (and is visible as public IP dedicated
>> for that host, so it's what I wanted), but when I connect from the Internet
>> to DMZ host (eg. ssh), I see that the connection comes from itself (DMZ host
>> public IP), instead of real public IP address.
>> I think that I've overNATed something.
>>
>>  I've answered myself:
> <removed rule 200>
>
> ipfw add 205 allow ip from $DMZHOST1 to any in recv $DMZIF
>
> ipfw add 210 divert $DMZHOST1PORT ip from $DMZHOST1 to any out xmit
> $PUBLICIF
> ipfw add 215 allow ip from $DMZHOST1PUB to any out xmit $PUBLICIF
>
> ipfw add 220 divert $DMZHOST1PORT ip from any to $DMZHOST1PUB in recv
> $PUBLICIF
> ipfw add 225 allow ip from any to $DMZHOST1 in recv $PUBLICIF
>
> <removed rule 230>
>
> ipfw add 235 allow ip from any to $DMZHOST1 out xmit $DMZIF
>
> So I just removed rules responsible for NAT at $DMZIF and left only NAT at
> $PUBLICIF.
>
> But now there is next problem - when I try to ping /ssh from router to
> $DMZPUBLICIP, I connect to myself, instead of DMZ host..
>
> I'm guessing the router is the FreeBSD box running IPFW?  If so, then
that's the correct behaviour, as the public IPs are physically assigned to
the interfaces on the router.  Thus, connecting to the public IPs from the
router ... will connect to the router.

You need to ping the private IPs from the router, since the router is
directly connected to the private networks.



-- 
Freddie Cash
fjwcash at gmail.com

More information about the freebsd-net mailing list