IPFW/NATD Transparent Proxy
mailist at whoweb.com
mailist at whoweb.com
Sun Aug 8 15:42:17 PDT 2004
On Sunday 08 August 2004 04:38 pm, JJB wrote:
> A new rewrite of the FreeBSD handbook firewall section is currently
> being made ready for update to the handbook. You can get an
> in-process copy from www.a1poweruser.com/FBSD_firewall/
The firewall rewrite only deals with a single public nic and a single
internal nic and does not have the information I require.
> From what you posted looks like you want public internet users to
> access web server on one of your LAN machines. Both ipfw and
> ipfilter does this normally with port redirect.
No, I want a user on 192.168.1.247 to be redirected to 192.168.2.250:80 when
they request 22.214.171.124:80, where 126.96.36.199 is a PUBLIC ip number on the FreeBSD
internet gateway. Again, the configuration is
de0 = PUBLIC IP = 188.8.131.52
de1 = 192.168.1.1
de2 = 192.168.2.1
I don't have a problem with incoming requests for 184.108.40.206:80 from the Internet
being redirected to 192.168.2.250. That works fine. But I want someone on
192.168.1.247 to ALSO be redirected to 192.168.2.250:80 when they request the
public address 220.127.116.11:80.
Put another way, I have a FreeBSD server acting as a Router/Firewall. It has
a public interface with an IP number of 18.104.22.168 and is assigned the DNS name
www.ishouldhaveusedipfilter.com. It also has a second NIC that supports a
private address space of 192.168.1.0/255.255.255.0 and a third NIC that
supports a private address space of 192.168.2.0/255.255.255.0
When someone from the Internet tries to reach www.ishouldhaveusedipfilter.com
they get redirected to 192.168.2.250 because I've included a redirect_port
rule for NATD. This works fine. But, users on all private networks (I have
two, but there could be 20) also need to be redirected to 192.168.2.250 when
they try to go to www.ishouldhaveusedipfilter.com So the user sitting at
192.168.1.247 shouldn't have to worry about putting in the IP number of the
company web server, they should just be able to put in the company domain
name (www.ishouldhaveusedipfilter.com) and be redirected to 192.168.2.250
just like anyone coming from the outside.
> You need to post
> more info about your system config.
> Post the full contents of your rc.conf and firewall rules files.
My rc.conf file is properly configured and has no bearing on my question. My
gateway works fine from public to private IP space and private to public IP
space. I've tried so many combination of rules and NATD options that I
wouldn't know what to post. What I need is someone who has completed a
similar configuration to send me their configuration (change the IP numbers
if you like). From what I can see, I don't believe this is possible with
stateful rules. Let me add that I've been successful with stateless rules,
but I'd like to use 100% stateful if possible.
> The limit you write about ipfilter is not true.
> -----Original Message-----
> From: owner-freebsd-questions at freebsd.org
> [mailto:owner-freebsd-questions at freebsd.org]On Behalf Of
> mailist at whoweb.com
> Sent: Sunday, August 08, 2004 2:11 PM
> To: freebsd-questions at freebsd.org
> Subject: IPFW/NATD Transparent Proxy
> Anyone up for a challenge?
> I've come to the conclusion that IPFW/NATD cannot support
> proxying with ONLY stateful rules. I'd like to hear from anyone who
> been successful doing so in case I'm missing something.
> Configuration is:
> FreeBSD 5.2.1
> 3 - NICS (de0, de1, de2)
> de1 = Public IP = 22.214.171.124
> de2 = LAN1 = 192.168.1.0
> de3 = LAN2 = 192.168.2.0
> The challenge:
> 1) TCP request from 192.168.1.247 to 126.96.36.199:80
> 2) Redirect 188.8.131.52:80 to 192.168.2.250:80
> 3) Use stateful rules
> On another note, I read somewhere on the Internet that IPFILTER has
> limitation in that it cannot redirect a public destination to a
> destination if the source machine is on the same subnet as the
> destination. In other words, the following supposedly will not
> 1) A tcp request from 192.168.1.247 to 184.108.40.206:80
> 2) Redirect 220.127.116.11:80 to 192.168.1.100:80
> Is this an accurate limitation of IPFILTER?
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to
> "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions