IPFW/NATD: Client behind firewall connecting to server behind
firewall AS IF it were really EXTERNAL
C_Ahlers
freebsd at code-space.com
Wed Apr 16 14:12:17 PDT 2003
Thank you.
I do understand what your are suggesting in principal, and I do
understand the syntax of ipfw forward rules.
However, I just am not sure exactly how to create the correct forward
rule. Would this be correct?:
ipfw add fwd a.a.a.15 all from b.b.b.0/24 to a.a.a.15
I forgot to describe earlier that: gateway_enable="YES" , Does this have
any effect on the discussion?
(sorry if it seems that I have concrete between my ears)
C_ahlers
-----Original Message-----
From: Darren Pilgrim [mailto:dmp at pantherdragon.org]
Sent: Tuesday, April 15, 2003 11:24 PM
To: chris.ahlers at mail-space.net
Cc: freebsd-ipfw at freebsd.org
Subject: Re: IPFW/NATD: Client behind firewall connecting to server
behind firewall AS IF it were really EXTERNAL
<chris.ahlers at mail-space.net> wrote:
[trimmed for relevance]
>firewall external IP = a.a.a.15 (internet ip address) firewall
>internal IP = b.b.b.254 (private ip address)
>
>NATD: alias_address = a.a.a.15
>NATD: redirect_port tcp b.b.b.100:80 80
>NATD: deny_incoming
>
>webserver internal IP = b.b.b.100
>example client pc IP = b.b.b.57
>client pc gateway IP = b.b.b.254 (firewall)
>
<...>
>However, INTERNAL hosts are unable to connect to my webserver via
>a.a.a.15 (since this is not actually the webserver's address).
<...>
>Any suggestions?
Use an ipfw forward rule for the requests coming from the LAN. Read
ipfw(8) for the appropriate syntax.
Explanation:
a.a.a.15 is a local address according to the firewall box, so it isn't
going to route anything destined for a.a.a.15 out an interface. Since
natd is configured to only act upon packets crossing the external
interface, it never sees the LAN-sourced requests for a.a.a.15, thus the
redirection never takes place.
More information about the freebsd-ipfw
mailing list