IPFW/NATD: Client behind firewall connecting to server behind
firewall AS IF it were really EXTERNAL
C_Ahlers
freebsd at code-space.com
Wed Apr 16 16:36:22 PDT 2003
Am i missing something?
if do:
{...)
ipfw add divert natd all from any to any via $oif
ipfw add fwd b.b.b.100,80 tcp from b.b.b.0/24 to a.a.a.15 80 in via $iif
(...)
And say, client b.b.b.57 attempts to connect to a.a.a.15:80 - the
forward rule will send out AS IS to b.b.b.100:80 on the internal
interface
1) No NAT will occur because NAT is setup only on external interface
2) The packet's dest ipaddr is not changed: it is still a.a.a.15, and
will not be routed to anything on b.b.b.0/24
Do I need to NAT on $iif as well?
Or do I:
ipfw add fwd a.a.a.15,80 tcp from b.b.b.0/24 to a.a.a.15 in via $iif ?
Not trying to argue, just trying get the bottom of this...
Respectfully,
C_Ahlers
-----Original Message-----
From: Darren Pilgrim [mailto:dmp at pantherdragon.org]
Sent: Wednesday, April 16, 2003 2:41 PM
To: freebsd at code-space.com
Cc: freebsd-ipfw at freebsd.org
Subject: Re: IPFW/NATD: Client behind firewall connecting to server
behind firewall AS IF it were really EXTERNAL
"C_Ahlers" <freebsd at code-space.com> wrote:
>I do understand what your are suggesting in principal, and I do
>understand the syntax of ipfw forward rules. However, I just am not
>sure exactly how to create the correct forward rule. Would this be
>correct?:
>
>ipfw add fwd a.a.a.15 all from b.b.b.0/24 to a.a.a.15
The ipaddr immediately after "fwd" is the ip address you want the
packets forwarded to. The scope of that rule is dangerous, IMO. It
could interfere with natd since it will also match on the external
interface. A better rule is one made very specific:
ipfw add fwd b.b.b.100,80 tcp from b.b.b.0/24 to a.a.a.15 80 in via $iif
Where iff is replaced with the name of your internal interface.
>I forgot to describe earlier that: gateway_enable="YES" , Does this
>have any effect on the discussion?
No, the gateway_enable option just tells the system to function as a
router for arriving packets destined for non-local addresses.
>(sorry if it seems that I have concrete between my ears)
What happens inside firewalls isn't always obvious or simple.
>From: Darren Pilgrim [mailto:dmp at pantherdragon.org]
><chris.ahlers at mail-space.net> wrote:
>
>[trimmed for relevance]
>
>>firewall external IP = a.a.a.15 (internet ip address) firewall
>>internal IP = b.b.b.254 (private ip address)
>>
>>NATD: alias_address = a.a.a.15
>>NATD: redirect_port tcp b.b.b.100:80 80
>>NATD: deny_incoming
>>
>>webserver internal IP = b.b.b.100
>>example client pc IP = b.b.b.57
>>client pc gateway IP = b.b.b.254 (firewall)
>>
><...>
>>However, INTERNAL hosts are unable to connect to my webserver via
>>a.a.a.15 (since this is not actually the webserver's address).
><...>
>>Any suggestions?
>
>Use an ipfw forward rule for the requests coming from the LAN. Read
>ipfw(8) for the appropriate syntax.
>
>Explanation:
>
>a.a.a.15 is a local address according to the firewall box, so it isn't
>going to route anything destined for a.a.a.15 out an interface. Since
>natd is configured to only act upon packets crossing the external
>interface, it never sees the LAN-sourced requests for a.a.a.15, thus
>the redirection never takes place.
>
More information about the freebsd-ipfw
mailing list